WIXLIB

EC-Council Certified Ethical Hacker v6.1Cheat Sheet Exercises

How to Use the Cheat SheetsStudents often report that the most difficult thing about the CEH exam is the terms, tools, numbers, log files,packet dumps and example scripts. None of these items can be understood without the concepts that give themmeaning, but once the concepts are clear, it is still necessary to be exposed to the raw data until they are secondnature.Cheatsheets are exercises that can be used to assist with memorization and refresh before the time of the exam.They are not comrehensive reference guides. They are designed to provide only enough data to trigger thememory or assess what needs to be better understood.Having a list of everything at your fingertips is helpful on the job but is almost useless as a study tool.You must interract with the data in order to convert it to information and own it.Since the exam is not open book, the goal is in fact to get to a point where you no longer need the cheat sheets atall.Each cheat sheet is a concept object. These are examples to get you started and provide enough information toestablish a grasp of the object at hand. Print them out, and hand copy each one in your own writting to anothersheet of paper. Arrange the material in your own way, and add notes to them as you study.Practice this at least three times. On the third try you may find you can copy the entire thing without looking at theoriginal. Then you have mastered it, and will have problems recalling important data druing the real exam.In summary, to get the most out of these study aids, follow these simple tips:1. Check back often for new versions2. Print them out and copy them by hand to a blank piece of paper; three times.3. Take additional notes, fill in any information that seems to be missing

Chapter Map for the Cheat Sheets01Ethical Hacking02030405Hacking LawsFootprintingGoogle HackingScanning0607080910EnumerationSystem HackingTrojans and BackdoorsVirus and WormsSniffing, Spoofing, Hijacking1112131415Social EngineeringDenial of ServiceBuffer OverflowsWeb Servers and ApplicationsWireless Networks1617CryptographyHacking Linux18IDS, Firewalls, Honeypots**Misc Cheat SheetsCEH PrerequisitesTerms and DefinitionsMethodologiesLegal IssuesDomain Name ServiceGoogle HackingNMap Scan TypesTCP HandshakePorts and ProtocolsEnumerationPassword CrackingTrojans and MalwareVirus TriviaSniffingMAC AddressesInternet ProtocolInternet Control Message ProtocolUser Datagram ProtocolTransmission Control ProtocolSocial EngineeringDoS and DDoS ToolsBuffer OverflowsHTTP and URLsWireless TechnologyWardrivingCryptographyLinux Operatinig SystemLinux CommandsFirewalls and IPTablesIDS and SnortCommand Line ToolsSyntax RecognitionRandom Recall Exercise

CEH PrerequisitesThere are entry level security classes, but security is not an entry level subject. In order to be comfortable withthe CEH training, pre-requisites are assumed and test items will involve topics that time might not permit coveringduring the live trainging. Prior to training, try to refresh your skill sin the following areas. The more time spent onthis step the more comfortable the training experience will be.Know the basics of Information securityConcepts such as "CIA (Confidentiality, Integrity, Availability)Coverage would have come during CompTIA or CISSP trainingKnow the basics of networkingPhysical layer, cabling, hardware devicesThe function of switches, routers, firewallsIP Addressing, Subnetting and CIDR notationKnow how to convert numbersDecimal, Octal, Binary; in all directions and combinationsKnow the basics of CryptographyThere is a module in the class on Crypto, but there may not be time to cover it in class.Sufficient coverage would have come during CompTIA Security or CISSPKnow the OSI kData LinkPhysical7654321Service protocolsData formatsAuthentication, Cryptographic agreementsPorts, logical service to service connectionsNetwork to network deliveryHost to host links, contentionMediaKnow how to use a Windows PCBe familiar with the Windows Graphical User InterfaceFind toolbar icons, manage folders and files, use network sharesThe labs in this class are difficult and must move rapidly,slowdowns for poor PC skills may result in just watching the demonstration at times, please be understanding of this and courteous to the other students.

Terms and DefinitionsRead the following terms and makwe sure you know their meaning. Look up any that you are not comfortablewith. On your own cheat sheet, jot down any additional terms you run across that struck you as new or odd.TermDefinitionHax0rUberhackerL33t Sp33kFull disclosureHacktivismSuicide HackerEthical HackerPenetration TestVulnerability AssessmentVulnerabilty ResearcherHackerGood hackerReplacing characters to avoid filtersRevealing vulnerabilitiesHacking for a causeHopes to be caughtHacks for defensive purposesDetermine true security risksBasic idea of security levelsTracks down vulnerabilitiesWhite hatGrey hatBlack hatHacks with permissionBelieves in full disclosureHacks without permissionWhite BoxGrey BoxBlack BoxA test everyone knows aboutA test with a very specific goal but unspecific meansA test no one knows is ntial eventWeaknessAccessibilityAct of attackingTarget of EvaluationRootkitBotnetBuffer OverflowShrinkwrap CodeHides processes that create backdoorsRobot network that can be commanded remotelyHijack the execution steps of a programReused code with vulnerabilities

MethodologiesThis class tells a story, and understanding that story is far more important than memoriing these lists. Thinkabout what actions are taken during each phase, and notice how they logically progress.The phases of an attack1. Reconnaissance2. Scanning - Enumerating3. Gaining Access4. Maintaining Access5. Clearing TracksInformation gathering, physical and social engineering, locate network rangeLive hosts, access points, accounts and policies, vulnerability assessmentBreech systems, plant malicious code, backdoorsRootkits, unpatched systemsIDS evasion, log manipulation, decoy trafficInformation Gathering1. Unearth initial information2. Locate the network range3. Ascertain active machines4. Open ports / access points5. Detect operating systems6. Uncover services on ports7. Map the networkWhat/ Who is the target?What is the attack surface?What hosts are alive?How can they be accessed?What platform are they?What software can be attacked?Tie it all together, document, and form a strategy.

Legal IssuesBe able to describe the importance of each of these items. The exam will not go into depth on this, just beprepared to identify the issues.United StatesComputer fraud and abuse actAddresses hacking activities18 U.S.C. 1029 Possession of Access Devices18 U.S.C. 1030 Fraud and Related Activity in Conncetion with ComputersCAN-SPAMSPY-ActDMCA - Digital Milenium Copyright ActSOX - Sarbanes OxleyGLBA - Gramm-Leech Bliley ActHIPPA - Health Imformation Portability and Protection ActFERPA - Family Educational Rights and Privacy ActFISMA - Federal Information Security Management ActDefines legal eMail marketingProtects vendors monitoring for licence enforcementProtects intellectual propertyControls for corporate financial processesControls use of personal financial dataPrivacy for medical recordsProtection for education recordsGovernment networks must have security standardsEuropeComputer misuse act of 1990Human Rights Act of 1990Addresses hacking activitiesEnsures privacy rights

Domain Name ServiceDNS is critical in the footprinting of a target network. It can sometimes save the attacker a lot of time, or at leastcorroborate other information that has been gathered. DNS is also a target for several types of attack.Fields in the SOA record: (Time in seconds)1882919 7200 3600 14400 2400Serial Refresh Retry Expiry TTLRequesting a zone transfernslookup; ls -d example.domdig @ns1.example.dom AXFRhost -t AXFR example.dom ns1.example.domUsing Whoiswhois example.domRegional Internet RegistrarsARINAPNICLACNICRIPE NCCAfriNIC(North America)(Asia Pacific Region)(Southern and Central America and Caribbean)(Europe, the Middle East and Central Asia)(Africa)Attacks against DNS serversZone transfersZone poisoningCache poisoningReflection DoSInformation gathering shortcutBreach the primary server and alter the zone file to corrupt the domainSend false answers to cache servers until they store themSend bogus requests into a chain of servers that do recursive queries

Google HackingAn attacker will use Google to enumerate a target without ever touching it. The advanced search syntax is easyto use but can be quirky at times. It takes practice and experimentation.Using Advanced Searchoperator:keyword additional search termsAdvanced ncacheConfines keywords to search only within a domainFile extensionMaps locationKeywords in the title tag of the pageAny of the keywords can be in the titleKeywords anywhere in the URLAny of the keywords can be in the URLSearch Google cache onlyKeyword combinationspasssword passlist username userlogin logonAdministrator Admin RootPrototype Proto Test ExampleExamplessite:intenseschool.com (ceh ecsa lpt)intitle:index.ofallinurl:login logon-ext:html -ext:htm -ext:asp -ext:aspx -ext:php

Nmap Scan TypesNmap is the de-facto tool for footprinting networks. It is capable of finding live hosts, access points, fingerprintingoperating systems, and verifying services. It also has important IDS evasion capabilities.Discovery ScansOptionDescription-sP-sL-sO-sV-sLPingList ScanProtocolVerifyList scanNormal ScansOptionDescFlags-sT-sSConnect SStealth SInverse ARAOptionDescFlagsWindows nAckWindowUPFFAARARARARRRRRARARARRRARARARROther Important Nmap OptionsOption-A-n-v-T [0-5]-P0DescriptionEnable OS detection, Version detection, Script scanning and TracerouteDo not lookup DNSVerbose outputTiming - 5 is fasterDo not ping first

TCP FlagsThis test will have scenarios that require you demonstrate an understanding of TCP behavior including Nmapscan types. Be sure to know each of these combinations well.TCP Flags0 0 URG ACK PSH RST SYN FINTCP Handshake (Open Port)DirectionA - BB - AA - BBinary q 1 Ack 0Ack 2 Seq 10Seq 2 Ack 11SARSeq 1 Ack 0Ack 2 Seq 0TCP Handshake (Closed Port)A - BB - A00000010000101000x020x14NMap Stealth Scan (Open Port)DirectionA - BB - AA - BBinary ap Xmas Scan (Open Port)Direction Binary HexFlagsA - B 001010010x29No response from Linux hosts,UPFR A from WindowsNMap ACK ScanDirection Binary HexFlagsA - B 000100000x10AA - B 000001000x04RSolaris will not respond on open ports

Ports and ProtocolsThese must be memorized! Also be prepared to convert them to hexadecimal representation in case they mustbe identified in a packet dump, log file, IDS rule, or a sniffer capture/display 0 - 21222325425380 - 81 -808088110111119135137 - 138 - 139143161 - TTPKerberosPOP3Portmapper Palm Pilot Remote SyncTrojan Horses7777123452737431337TiniNetBusBack OrificeSub7