CEH V8- General high-level studying
This set contains the most important items to take away from the class in order to prep for the test. Please send me a message if you find any discrepancies!
Terms in this set (84)
State the 5 Phases of a cyber attack
3. Gaining Access
4. Maintaining access
5. Clearing Tracks
What types of Information Gathering can you do? (Hint, this is for both phase one and two!)
1. Unearth initial information
2. Locate the network range
3. Ascertain active machines
4. Open ports / access points
5. Detect operating systems
6. Uncover services on ports
7. Map the network
Which United States Code(s) cover the Computer Fraud and Abuse act?
of the US Code:
1029 Possession of Access Devices
1030 Fraud and Related Activity in Connection with Computers
What does CAN-SPAM refer to?
Email Marketing legalities
What does the SPY-Act cover?
Protects vendors monitoring for license
What is the DMCA - Digital Millennium Copyright Act for?
Protecting intellectual property.
What does HIPPA - Health Information Portability and Protection Act cover?
Privacy of Health information and medical records.
What does GLBA - Gramm-Leech Bliley Act cover?
Controls the use of personal financial data.
What does PCI-DSS- Payment Card Industry Data Security Standard cover?
Regulates Credit card processing.
In Europe what do these two acts address?
Computer misuse act of 1990
Human Rights Act of 1990
Computer misuse act of 1990- Addresses hacking activities
Human Rights Act of 1990- Ensures Privacy Rights.
ISO 27002/ BS7799v2/NIST SP800
Guidelines for Security practices.
What is ISO 17024 for?
sets out criteria for an organization's certification program for individual persons.
What is OWASP?(Super important!)
Open Web Application Security Protocol. Strives to make more secure web applications.
What does OSSTMM stand for?
OSSTMM Open Systems Security Testing Methods and Methodology
What is the SDLC (Software Design Life Cycle)?
- Requirements Analysis: where threat analysis should be performed
- Develop / Test
- Support / Evaluate / Monitor
(T/F) DNS is critical in the footprinting of a target network.
True! It can sometimes save the attacker a lot of
time, or at least corroborate other information that has been gathered. DNS is also a target for several types of attack.
What are the TCP and UDP DNS ports?
UDP 53: most resolutions
TCP 53: zone transfers
TCP 53: DNSSEC
What are commands you can use to request a zone transfer?
nslookup; ls -d example.dom
dig @ns1.example.dom AXFR
host -t AXFR example.dom ns1.example.dom
Name the Five Regional Internet Registrars
ARIN (North America)
APNIC (Asia Pacific Region)
LACNIC (Southern and Central America and Caribbean)
RIPE NCC (Europe, the Middle East and Central Asia)
List types of attacks against DNS Servers
Zone transfers- Information gathering shortcut.
Zone poisoning- Breach the primary server and alter the zone file to corrupt the domain.
Cache poisoning- Send false answers to cache servers until they store them.
Reflection DoS- Send bogus requests into a chain of servers that do recursive queries.
What is the command line syntax for an NMAP Ping scan?
nmap -sP <IP addr>
Ping: -sn (disables port scan) -PE (ICMP echo) -PO (protocol of ping)
What is the command line syntax for an NMAP List scan?
What is the command line syntax for an NMAP Protcol Scan
What is the command line syntax for an NMAP Verify scan?
In an NMAP Syn Stealth scan, what response will you get from a windows host if the port is open? Closed?
What 3 inverse scans will only work on Linux hosts?
Null, XMAS and Fin
What is special about an ack scan?
Scans open ports on non-Statefull firewalls.
Which nmap options will do OS detection, Version detection, Script scanning and Traceroute?
what does nmap -O give you?
Fingerprinting, but must have one open and one closed port to work.
Ports and Protocols to know: resource on back!
Go here to study CEH ports and protocols to know for the test.
What is the syntax for establishing a Null Session on a windows box?
net use \\[target ip]\IPC$ "" /user:""
If you have a microsoft SID of 500, who are you?
You are the local Administrator. Any SID above 1000 are users.
What are the 4 types of password cracking techniques?
Dictionary, Brute Force, Hybrid, and Guessing.
Describe an LM Hash
Every password is ultimately 14 characters long, split into two 7 character halved. (Passwords that are less than 7 character are easily identified in the SAM file)
Define Rainbow Tables
"Time / Memory Trade off"" Less memory than a lookup, less computing than a brute force. Salting the hash is a way to combat rainbow tables.
Name some popular cracking Tools
John the Ripper- Command line tool that runs under both Windows and Linux.
L0phtcrack- Commercial tool.
0phtcrack- Open source tool that supports rainbow tables.
Cain and Abel- Powerful multipurpose tool that than sniff and crack passwords.
what is a Wrapper or Binder
Application used to combine a malicious binary and a legitimate
Can be installed via Trojan, used to hide processes that create
Reverses a connection outbound through an HTTP or SHTTP
Netcat in reference to Trojans
Not really a Trojan, but often used in Trojan code to setup the
Keylogger Records the keystrokes on the install host and saves them in a log
What is the Lifecycle of a virus?
Design - > Replication -> Launch -> Detection -> Incorporation -> Elimination
What is a Boot Virus
Infects the boot sector of floppies or hard disks
Written in Microsoft Office Macro language
Spreads via network shares
Hides in a file, copies itself out to deliver payload
Hides in the empty areas of an executable
Trace interceptor programs that monitor OS Kernel requests
Disguises itself as a legit file/ files
infects via multiple vectors
What was the first internet worm?
The Morris Worm.
Name some methods for defeating a switch
Admin the switch- If the password for the switch can be guessed, a port can be placed into monitor mode.
MAC Spoofing -Set the MAC address of a NIC to the same value as another.
MAC Flooding- Overwhelm the CAM table of the switch so it fails to hub mode.
ARP Poisoning- Inject incorrect information into the ARP caches of two or more endpoints.
what is the broadcast MAC Address
ICMP type and codes:
Type Code Description
0 0 Echo Reply
3 Destination Unreachable
3 13 Administratively Prohibited
8 0 Echo Request
5 0 Redirect
11 0 Time Exceeded
13 - Timestamp Request
Social engineering principles
Authority- An intimidating presence
Scarcity- Create the perception of loss or lack of access to a resource
Liking- Charm and charisma
Reciprocation- The victim believes they owe the attacker a favor
Consistency- Appealing the a victims true feelings and opinions
Social Validation- Compliments and praise
Types of social engineers
Insider Associates- Have limited authorized access, and escalate privileges from there.
Insider Affiliates- Are insiders by virtue of an affiliation, they spoof the identity of the insider.
Outsider Affiliates- Are non-trusted outsiders that use an access point that was left open.
In physical security, what is the difference between Tailgating and piggybacking?
Tailgating- When you use someone else's credentials to gain access.
Piggy Backing- When someone else opens the door and you walk in behind them.
Name some DoS methods (Ex, buffer overflow)
Buffer Overflows- Crashes applications or services.
Smurf Spoofed- traffic sent to the broadcast address of a network.
Fraggle UDP- version of the Smurf, usually bouncing Chargen traffic off Echo ports.
Ping of Death- Packet larger than the 64k limit.
Teardrop- Offset values modified to cause fragments to overlap during
reassembly, results in short packet.
Unnamed- Offset values modified to cause gaps between fragments, results in long packets.
Syn Flood- SYN flags sent to open ports, no completion of the handshake.
Land Traffic- sent to a victim spoofing itself as the source, results in ACK storms.
Winnuke- Sends TCP traffic with the URG flag set, causes CPU utilization to peak.
What Cisco command would help defend against a DoS attack.
no ip directed-broadcast
Define Stack and Heap
Stack- Memory place for short term processing
Heap- Memory space for long term program execution
Define Push and Pop (hint: its not a dance move.)
Push- "Push" new instructions onto the stack
Pop- "Pop" instructions off the stack when processed
What is EIP?
Execute Instruction Pointer
Define NOOP and NOOP Sled
NOOP- A "do nothing" instruction that wastes a clock cycle
NOOP Sled- Placed in a buffer overflow exploit to aid in running the payload.
HTTP Codes: 200 series, 400 series, and 500 series.
200 Series- Everything is OK
400 Series- Could not provide requested resource (page not found, moved, authentication
500 Series- Could not process request (script error, database connection error)
Uses RC4 for the stream cipher with a 24b initialization vector
Key sizes are 40b or 104b, not very secure at all anbd very easy to crack.
define WPA, WPA/TKIP and WPA2. Specifically how do they differ?
WPA Uses RC4 for the stream cipher but supports longer keys
WPA/TKIP Changes the IV with each frame and includes key mixing
WPA2 Uses AES as the stream cipher and includes all the features of TKIP
What is OSA?
Open Systems Authentication is a non-protected AP that broadcasts its SSID
What is PSK?
Pre-Shared Key is protected by an encryption standard.
Wireless terms: War Driving, War Chalking, and Jamming
Wardriving- Driving around with portable equipment and locating wireless networks.
Warchalking- Writing symbols on the sidewalk or buildings communicating found networks.
Jamming- Producing white noise signals that overpower the Wifi networks.
Define Netstumbler,ministumbler, macstumbler
Netstumbler Finds wireless networks, SSIDS, and channels
Ministumbler for the pocket pc
Macstumbler for the Macintosh
Wireless Tools AirPcap, Airopeek, AircrackNG, and Airsnort.
AirPcap Hardware tool for wardriving, WEP cracking, and sniffing
Airopeek Sniffer that specializes in wireless traffic
AircrackNG WEP cracker
Airsnort Another WEP cracker
What is CoWPAtty?
A WPA offline brute force cracker
What is asLEAP?
cracked LEAP authentication (and PPTP (MSCHAP) authentication)
What is the difference between refraction and diffraction
Refraction (bending caused by changing density ie: temp gradient; air => H2O)
Diffraction (bending when hit solid object)
List the 10 Linux File systems and what they are used for. (including root).
/ -Root of the file system
/var -Variable data, log files are found here
/bin -Binaries, commands for users
/sbin -System Binaries, commands for administration
/root -Home directory for the root user
/home -Directory for all home folders for non-privileged users
/boot -Stores the Linux Kernel image and other boot files
/proc -Direct access to the Linux kernel
/dev -direct access to hardware storage devices
/mnt -place to mount devices on onto user mode file system
Name the two types of IDS:
Host based and Network based
What types of Detections Engines to IDS's have?
Signature based, anomaly based and statistical analysis.
Three most popular IDS Evasion techniques.
Encryption, fragmentation, and decoy traffic.
what will this nmap scan tell you?
nmap -sT -T5 -n -p 1-100 192.168.1.1
Use nmap to run a connect scan at a fast rate without DNS resolution to ports 1-100 at host 192.168.1.1
nc -v -z -w 2 192.168.1.1 what will this command give you?
netcat, show on the console a scan that sends packets every 2 seconds to host 192.168.1.1
What does this TCPDump command give you:
tcpdump -i eth0 -v -X ip proto 1
Use tcpdump to listen on interface eth0 and display layer 2 and 7 for ICMP traffic.
What does the following iptables command do for you?
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
Use iptables and append the forward table with a rule that will jump to the accept table when tcp traffic that has a destination port of 80 is noticed.