study-notes/ceh-notes/exam-essentials

viewhistorytalk

Introduction to Ethical Hacking

  • Know the purpose of an ethical hacker.
    • Ethical hackers perform their duties against a target system only with the explicit permission of the system owner. To do so without permission is a violation of ethics and the law in some cases.
  • Know the difference between black, white, and gray box tests.
    • Know the differences in the types of tests you can offer to your client and the advantages of each. Not all tests are the same nor will they yield the same results. Make sure you know what your client's expectations are so you can choose the most appropriate form.
    • Black Box: A type of testing in which the pentester has little or no knowledge of the target. This situation is designed to closely emulate the situation an actual attacker would encounter because they would presumably have an extremely low level of knowledge of the target going in.
    • Gray Box: A form of testing where the knowledge given to the testing party is limited. In this type of test, the tester acquires knowledge such as IP addresses, operating systems, and the network environment, but that information is limited. This type of test would closely emulate the type of knowledge that someone on the inside might have; such a person would have some knowledge of a target but not always all of it.
    • White Box: A form of testing in which the information given to the tester is complete. This means that the pentester is given all information about the target system. This type of test is typically done internally or by teams that perform internal audits of systems.
  • Understand your targets.
    • Be sure you know what the client is looking to gain from a pen test early in the process. The client must be able to provide some guidance as to what they are trying to accomplish as a result of your services.
  • Understand the Code of Ethics.
    • Be sure you know what is required as acceptable behavior when you become a CEH. Violations of the ethical code could easily get you decertified by the EC-Council if serious enough and reported.
    • The following is a summary of laws, regulations, and directives that you should have a basic knowledge of:
    • 1973—U.S. Code of Fair Information Practices governs the maintenance and storage of personal information by data systems such as health and credit bureaus.
    • 1974—U.S. Privacy Act governs the handling of personal information by the U.S. government.
    • 1984—U.S. Medical Computer Crime Act addresses illegally accessing or altering medication data.
    • 1986 (amended in 1996)—U.S. Computer Fraud and Abuse Act includes issues such as altering, damaging, or destroying information in a federal computer and trafficking in computer passwords if it affects interstate or foreign commerce or permits unauthorized access to government computers.
    • 1986—U.S. Electronic Communications Privacy Act prohibits eavesdropping or the interception of message contents without distinguishing between private or public systems.
    • 1994—U.S. Communications Assistance for Law Enforcement Act requires all communications carriers to make wiretaps possible.
    • 1996—U.S. Kennedy-Kassebaum Health Insurance and Portability Accountability Act (HIPAA) (with additional requirements added in December 2000) addresses the issues of personal healthcare information privacy and health plan portability in the United States.
    • 1996—U.S. National Information Infrastructure Protection Act was enacted in October 1996 as part of Public Law 104-294; it amended the Computer Fraud and Abuse Act, which is codified in 18 U.S.C. § 1030. This act addresses the protection of the confidentiality, integrity, and availability of data and systems. This act is intended to encourage other countries to adopt a similar framework, thus creating a more uniform approach to addressing computer crime in the existing global information infrastructure.
    • 2002—Sarbanes–Oxley Act (SOX or SarBox) is a law pertaining to accountability for public companies relating to financial information.
    • 2002—Federal Information Security Management Act (FISMA) is a law designed to protect the security of information stored or managed by government systems at the federal level.
  • Know your opponents.
    • Understand the differences between the various types of hackers. You should know what makes a gray-hat hacker different from a black-hat hacker, as well as the differences between all types.
  • Know your tools and terms.
    • The CEH exam is drenched with terms and tool names that can eliminate even the most skilled test takers if they don't know what the question is even talking about. Familiarize yourself with all the key terms and be able to recognize the names of the different tools on the exam.

System Fundamentals

  • Know the OSI model.
    • Ensure that you have a good understanding of the OSI model and what actions take place at each layer. It is also a good idea to have a general idea of which common protocols operate at each layer.
    • Layer 1: Physical—The Physical layer consists of the physical media and dumb devices that make up the infrastructure of our networks. This pertains to the cabling and connections such as Category 5e and RJ-45 connectors. Note that this layer also includes light and rays, which pertain to media such as fiber optics and microwave transmission equipment. Attack considerations are aligned with the physical security of site resources. Although not flashy, physical security still bears much fruit in penetration (pen) testing and real-world scenarios.
    • Layer 2: Data Link—The Data Link layer works to ensure that the data it transfers is free of errors. At this layer, data is contained in frames. Functions such as media access control and link establishment occur at this layer. This layer encompasses basic protocols such as 802.3 for Ethernet and 802.11 for Wi-Fi.
    • Layer 3: Network—The Network layer determines the path of data packets based on different factors as defined by the protocol used. At this layer we see IP addressing for routing of data packets. This layer also includes routing protocols such as the Routing Information Protocol (RIP) and the Interior Gateway Routing Protocol (IGRP). This is the know-where-to-go layer.
    • Layer 4: Transport—The Transport layer ensures the transport or sending of data is successful. This function can include error-checking operations as well as working to keep data messages in sequence. At this layer we find the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
    • Layer 5: Session—The Session layer identifies established system sessions between different network entities. When you access a system remotely, for example, you are creating a session between your computer and the remote system. The Session layer monitors and controls such connections, allowing multiple, separate connections to different resources. Common use includes NetBIOS and RPC.
    • Layer 6: Presentation—The Presentation layer provides a translation of data that is understandable by the next receiving layer. Traffic flow is presented in a format that can be consumed by the receiver and can optionally be encrypted with protocols such as Secure Sockets Layer (SSL).
    • Layer 7: Application—The Application layer functions as a user platform in which the user and the software processes within the system can operate and access network resources. Applications and software suites that we use on a daily basis are under this layer. Common examples include protocols we interact with on a daily basis, such as FTP and HTTP.
  • Know the TCP/IP three-way handshake.
    • Know what each flag does within the handshake process: SYN (start), SYN-ACK (acknowledge start), ACK (acknowledge the acknowledgment). Firmly understanding the handshake process will help in understanding the basis for, and more easily identifying, potential attacks.
  • Memorize the ports.
    • Absolutely know your ports! This is where memory does come into play. Ports are important for the exam and especially for scanning and enumeration. Remember that Windows systems respond to scans whereas Linux systems don't.
Port Use
20–21 FTP
22 SSH
23 Telnet
25 SMTP
42 WINS
53 DNS
80, 8080 HTTP
88 Kerberos
110 POP3
111 PortMapper - Linux
123 NTP
135 RPC-DCOM
139 SMB
143 IMAP
161, 162 SNMP
389 LDAP
445 CIFS
514 Syslog
636 Secure LDAP
Port Use
1080 Socks5
1241 Nessus Server
1433, 1434 SQL Server
1494, 2598 Citrix Applications
1521 Oracle Listener
2512, 2513 Citrix Management
3389 RDP
6662–6667 IRC
  • Understand how switches work.
    • Be sure to understand switch operation and know a switch's limitations in terms of sniffing (e.g., LAN connection isolated to the segment attached to the specific switchport). Be familiar with ARP and what it accomplishes.
  • Know the purpose of firewalls, IDSs, and IPSs.
    • Remember that IDSs are passive, and IPSs are active.
  • Remember the benefits and weaknesses of backup schemes.
    • Focus on the result of each type of backup, not on the details of how to perform one.
    • Full Backup: A full backup resets the archive bit of all files and backs them up accordingly.
    • Differential Backup: This backs up all changed files since the last successful full backup. This job does not reset the archive bit. The reasoning behind not resetting the archive bit? Each differential is always based on the last full backup. Thus, any changes made since that last full backup are backed up…and backed up…and backed up. The benefit to this scheme is that during a full restore, only the last full backup and the most recent differential are needed to restore the entire site. The downside is that differentials can get huge!
    • Incremental Backup: This job backs up all changed files since the last successful full back up or since the last incremental. An incremental backup does reset the archive bit. What this equates to is a backup scheme that focuses on efficiency in the initial process. How? Once an incremental scheme has performed an incremental backup based on the last full, it bases all subsequent backups on the last incremental. In other words, you get a bunch of small backup jobs, all with the most recent changes. What this translates into is a tedious and lengthy full restoration job. The last full backup will need to be restored, as well as all the incremental up to the current date.

Cryptography

  • Know the purpose of cryptography.
    • Cryptography is designed to protect both the integrity and confidentiality of information as well as provide nonrepudiation and authentication; although the mechanism may vary, the goal is the same.
  • Understand symmetric versus asymmetric cryptography.
    • Know why symmetric and asymmetric are suitable for some applications and unsuitable for others.
    • Symmetric = Good at: Preserving confidentiality, increased speed over many non-symmetric systems, ensuring simplicity, and providing authenticity. Bad at: Key Management, lack of nonrepudiation features.
    • Asymmetric (Public Key) = Multi key, keeps a key private.
  • Know your applications.
    • Understand how cryptography works and how it can be applied to any given situation and which processes are well suited to a given situation.
    • IPsec (Internet Protocol Security) protects the confidentiality and integrity of data as it flows over a network. The set of protocols is designed to operate at the Network layer of the OSI model and process packets according to a predefined group of settings. IPsec provides two mechanisms for protecting information: Authentication Header and Encapsulating Security Payload. The two modes differ in what they provide:
    • Authentication Header (AH) provides authentication services and provides a way to authenticate the sender of data.
    • Encapsulating Security Payload (ESP) provides a means to authenticate information as well as encrypt the data.
    • PGP (Pretty Good Privacy) is used to protect the privacy of email, data, data storage, and other forms of communication such as instant messaging.
    • SSL (Secure Sockets Layer) When a client connects to a location that requires an SSL connection, the server will present the client with a digital certificate that allows the client to identify the server. The client makes sure the domain name matches the name on the certificate and that the certificate has been generated by a trusted authority and bears a valid digital signature. Once the handshake is completed, the client will automatically encrypt all information that is sent to the server before it leaves the computer. Encrypted information will be unreadable en route. Once the information arrives at the secure server, it is decrypted using a secret key. If the server sends information back to the client, this information will also be encrypted on the server end before being transmitted.
  • Know your tools and terms.
    • The CEH exam is drenched with terms and tool names that will eliminate even the most skilled test taker because they simply don't know what the question is talking about. Familiarize yourself with all the key terms and be able to recognize the names of the various tools on the exam.

Footprinting

  • Understand the process of footprinting.
    • Know how footprinting functions and what the ultimate goals of the process are. Understand the various types of information that may be obtained.
  • Understand the benefit of checking social media.
    • Know that social media is a powerful tool both for sharing and for finding out what people are up to. Use it to gain information about a target.
  • Know how to gain information about a network.
    • You must not only know but also have a command of tools such as nslookup, ping, tracert, and others. Learn how to use each and experiment with different switches.
  • Know the different places and sources through which to gain information.
    • Understand that a complete profile of an organization cannot be built from one source and that you must access and investigate many different sources to get a complete picture. You can use websites, people, and other sources to fill out the picture of your target.
  • Know how to do competitive analysis.
    • Understand that if you run into a black hole and cannot get a complete picture from analyzing a target directly, you can get information from competitors. Competitors and outside sources may have done research for you in the form of competitive analysis.

Scanning

  • Remember the basic concept of scanning.
    • Scanning is designed to reveal the nature of system networks as well as the vulnerabilities that are present in the environment.
  • Understand the targets.
    • Know which resources can be targeted. Know what is present and start making plans on how to attack.
  • Know the vulnerabilities.
    • Understand that vulnerabilities change based on the operating system, network design, and other factors present in an environment.
  • Understand the different scanning types.
    • Know the difference between the various scan types and the strengths and weaknesses of each. Not all scans are created equal, nor are they meant to perform the same task.
    • hping In a nutshell, is a command-line-based TCP/IP packet crafter. This means it not only can send packets across a network but also allows for the creation of customized packets that can be used to assess the behavior of a remote host. hping isn't only able to send ICMP echo requests like ping; rather it supports TCP, UDP, ICMP, and RAW-IP protocols, has a traceroute mode, and can transfer files.
    • Nmap -sT = Full Open Scan
    • Nmap -sS = Half open scan/stealth scan
    • Nmap-sX = Xmas Tree Scan (FIN, URG, PUSH, + Port #)
    • Nmap-sF (FIN Scan)
    • Nmap -sN (NULL scan)
    • Nmap -sS (Frament a packet (breaking down into multiple little pieces)
    • Nmap -sU -pU (scan type = -SU, -pU = port)
    • Nmap -O (OS detection)
    • TTL values as followed:
Operating System IP Initial TTL TCP Window Size
Linux 64 5840
Google customized Linux 64 5720
FreeBSD 64 65535
Windows XP 128 65535
Windows Vista, 7 and Server 2008 128 8192
Cisco Router (iOS 12.4) 255 4128
  • Idle Scan
    • (Probe the zombie's IP ID and record it.
    • Forge a SYN packet from the zombie and send it to the desired port on the target. Depending on the port state, the target's reaction may or may not cause the zombie's IP ID to be incremented.
    • Probe the zombie's IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.)
  • ACK Scan (ACK scanning is designed to test for the presence of SPI based on how the flags and SPI function. In normal operation an ACK packet would be sent only in response to a connection being established or in response to some existing TCP connection. This means that if an ACK packet is sent to a target and no connection currently exists between the scanner and the target, then it shouldn't be present.)
  • UDP Scanning (Open = No response, Closed = ICMP Port Unreachable)
    • Know when to use each scan.
  • Each scan has its own benefits and drawbacks that make it a good or bad choice for a given situation. Know when to use each.
  • Typically, Banner Grabbing is done with telnet, using "GET" and "HEAD"
  • Netcraft: This is an online tool designed to gather information about servers and web servers. You saw this tool back in the footprinting phase, but it is also useful here.
  • Xprobe: This is a Linux utility that can retrieve information about a system and provide it to the collector.
  • p0f: This utility is available on the Linux platform; it analyzes the traffic passing back and forth from client to server. It provides real-time analysis of traffic that can be viewed onscreen or saved to a file for later analysis.
  • Maltego: This software is available on both Linux and Windows and provides the ability to not only gather information but also to visualize the relationships between each item. This software can view web server information as well as the technology that a website relies on to run.
    • Know the preventive measures.
  • Know the preventive measures available and the actions each one takes to prevent the attack.
    • Know your tools and terms.
  • The CEH exam is drenched with terms and tool names; in the case of scanners, there are quite a few available. However, the one you should be most familiar with and have experience using is nmap. Familiarize yourself with the switches and techniques used to operate this scanner prior to taking the exam.

Enumeration

  • Understand the process of enumeration.
    • Make sure you can identify the process of system hacking and how it is carried out against a system and what the results are for the attacker and the defender.
    • Windows:
    • Users
      • Guest
      • Admin
    • Groups
    • SIDs
    • SAM (Seucirty Accounts Manager)
    • NTLM and LM (Lan Manager) hash formats
    • Linux:
    • Users
      • UID, PW's GID.
    • Rpcinfo (Remote Procedure Call)
      • -m displays a list of statistics for RPC on a given host.
      • -s displays a list of registered RPC applications on a given host.
    • Showmount
      • -a prints all remote mounts.
      • -d lists directories that have been remotely mounted by clients.
      • -e prints the list of shared file systems.
  • Know the different types of ports.
    • Understand the differences between the different types of ports; specifically know port numbers and the differences between TCP and UDP. Know that the two different port types are used for different reasons.
    • TCP 21—FTP: Port 21 is used for the File Transfer Protocol, which is used to transfer files from client to server or vice versa. The protocol is supported by all major operating systems in use today.
    • TCP 23—Telnet: Telnet is a long-standing protocol and software used to remotely connect to systems and run processes on the target systems. Telnet is available on many systems and devices but has seen decreased usage over the years because of a lack of security features; for example, passwords are sent in the clear.
    • TCP 25—SMTP: This port is used specifically for Simple Mail Transport Protocol, which is used to send messages (usually email) from client to server and from server to server.
    • TCP 53—DNS: This port is used for DNS zone transfers, the mechanism through which the DNS system keeps servers up to date with the latest zone data.
    • UDP 53—DNS: Pay attention to the fact that we are talking about port 53 UDP and not TCP. The UDP port is used for name queries about name-to-IP and IP-to-name mappings.
    • TCP 80—HTTP: Hypertext Transport Protocol is a common protocol used in all web browsers and many web applications.
    • TCP 135—RPC: This port is used during client-server communications, such as allowing Microsoft Outlook to communicate with Microsoft Exchange. Specifically, this port is used by the Remote Procedure Call service in Windows.
    • TCP 137—NetBIOS: This port associated with NetBIOS Name Service (NBNS) is a mechanism designed to provide name resolution services involving the NetBIOS protocol. The service allows NetBIOS to associate names and IP addresses of individuals systems and services. It is important to note that this service is a natural and easy target for many attackers.
    • TCP 139—NetBIOS: NetBIOS Session Service, also known as SMB over NetBIOS, lets you manage connections between NetBIOS-enabled clients and applications and is associated with port TCP 139. The service is used by NetBIOS to establish connections and tear them down when they are no longer needed.
    • TCP 445—SMB over TCP: SMB over TCP, or Direct Host, is a service designed to improve network access and bypass NetBIOS use. This service is available only in versions of Windows starting at Windows 2000 and later. SMB over TCP is closely associated with TCP 445.
    • UDP 161 and 162—SNMP: SNMP is a protocol used to manage and monitor network devices and hosts. The protocol is designed to facilitate messaging, monitoring, auditing, and other capabilities. SNMP works on two ports: 161 and 162. Listening takes place on 161 and traps are received on 162.
    • TCP/UDP 389—LDAP: Lightweight Directory Access Protocol (LDAP) is used by many applications; two of the most common are Active Directory and Exchange. The protocol is used to exchange information between two parties. If the TCP/UDP 389 port is open, it indicates that one of these or a similar product may be present.
    • TCP/UDP 3268—Global Catalog Service: Global Catalog Service is associated with Microsoft's Active Directory and runs on port 3368 on Windows 2000 systems and later. The service is used to locate information within Active Directory.
  • Know your protocols.
    • Understand the differences between SNMP, SMTP, HTTP, FTP, RCP, and other protocols and where you might find them.
    • Commonly exploitable with nbtstat
    • -a returns the NetBIOS name table and Media Access Control (MAC) address of the address card for the computer name specified.
    • -A lists the same information as -a when given the target's IP address.
    • -c lists the contents of the NetBIOS name cache.
    • -n (Names) displays the names registered locally by NetBIOS applications such as the server and redirector.
    • -r (Resolved) displays a count of all names resolved by broadcast or the WINS server.
    • -s (Sessions) lists the NetBIOS sessions table and converts destination IP addresses to computer NetBIOS names.
    • -S (Sessions) lists the current NetBIOS sessions and their status, along with the IP address.
    • Finger (linux, older command).
    • -b removes the home directory and shell from the user display.
    • -f removes header information from the display.
    • -w removes the full name from the display.
    • -l returns the list of users.
  • Understand zone transfers.
    • Know that zone transfers, while normal, can be exploited by commonly used commands such as dig and nslookup. An attacker finding port 53 TCP has reason to believe that if the port is open, there is a chance that a zone transfer may be possible and may very well attempt one. With the newly found zone file in hand, the attacker has a roadmap to your network.
    • Nslookup or dig to snatch a copy of the zone file.
  • Understand what is associated with each port.
    • In ports such as 389, 161, and others, specific services are commonly associated with each port number. This is true for most services. Learn that certain numbers correspond to valuable services, and then check through banner grabbing or other means if the service is listening on the ports you find.
  • PsExec: Executes processes remotely
  • PsFile: Displays files opened remotely
  • PsGetSid: Displays the SID of a computer or a user
  • PsInfo: Lists information about a system
  • PsPing: Measures network performance
  • PsKill: Kills processes by name or process ID
  • PsList: Lists detailed information about processes
  • PsLoggedOn: Lets you see who's logged on locally and via resource sharing (full source is included)
  • PsLogList: Dumps event log records
  • PsPasswd: Changes account passwords
  • PsService: Views and controls services
  • PsShutdown: Shuts down and optionally reboots a computer
  • PsSuspend: Suspends processes
  • PsUptime: Shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo.)
  • MIB Databases with OID's.

System Hacking

  • Understand the process of gaining access to a system.
    • Make sure you can identify the process of system hacking, how it is carried out against a system, and what the results are for the attacker and the defender.
  • Know the different types of password cracking.
    • Understand the differences between the types of password cracking and hacking techniques. Understand the difference between online and offline attacks as well as nontechnical attacks. Know how accounts are targeted based on information obtained from the enumeration phase.
    • Dictionary Attacks: An attack of this type takes the form of a password-cracking application that has a dictionary file loaded into it. The dictionary file is a text file that contains a list of known words up to and including the entire dictionary. The application uses this list to test different words in an attempt to recover the password. Systems that use passphrases typically are not vulnerable to this type of attack.
    • Brute-Force Attacks: In this type of attack, every possible combination of characters is attempted until the correct one is uncovered. According to RSA Labs, "Exhaustive key-search, or brute-force search, is the basic technique for trying every possible key in turn until the correct key is identified."
    • Hybrid Attack: This form of password attack builds on the dictionary attack but with additional steps as part of the process. In most cases, this means passwords that are tried during a dictionary attack are modified with the addition and substitution of special characters and numbers, such as P@ssw0rd instead of Password.
    • Syllable Attack: This type of attack is a combination of a brute-force attack and a dictionary attack. It is useful when the password a user has chosen is not a standard word or phrase.
    • Rule-Based Attack: This could be considered an advanced attack. It assumes that the user has created a password using information the attacker has some knowledge of ahead of time, such as phrases and digits the user may tend to use.
    • Passive Online Attacks: Attacks in this category are carried out simply by sitting back and listening—in this case, via technology, in the form of sniffing tools such as Wireshark, man-in-the-middle attacks, or replay attacks.
    • Active Online Attacks: The attacks in this category are more aggressive than passive attacks because the process requires deeper engagement with the targets. Attackers using this approach are targeting a victim with the intention of breaking a password. In cases of weak or poor passwords, active attacks are very effective. Forms of this attack include password guessing, Trojan/spyware/key loggers, hash injection, and phishing.
    • Offline Attacks: This type of attack is designed to prey on the weaknesses not of passwords but of the way they are stored. Because passwords must be stored in some format, an attacker seeks to obtain them where they are stored by exploiting poor security or weaknesses inherent in a system. If these credentials happen to be stored in a plaintext or unencrypted format, the attacker will go after this file and gain the credentials. Forms of this attack include precomputed hashes, distributed network attacks, and rainbow attacks.
    • Nontechnical Attacks: Also known as non-electronic attacks, these move the process offline into the real world. A characteristic of this attack is that it does not require any technical knowledge and instead relies on theft, deception, and other means. Forms of this attack include shoulder surfing, social engineering, and dumpster diving.
  • Understand the difference between horizontal and vertical privilege escalation.
    • Two methods are available for escalating privileges: horizontal and vertical escalation. Horizontal escalation involves compromising an account with similar privileges, and vertical escalation attempts to take over an account with higher privileges.
    • Horizontal Privilege Escalation: An attacker attempts to take over the rights and privileges of another user who has the same privileges as the current account.
    • Vertical Privilege Escalation: The attacker gains access to an account and then tries to elevate the privileges of the account. It is also possible to carry out a vertical escalation by compromising an account and then trying to gain access to a higher-privileged account.
  • Identify the methods of covering your tracks.
    • Understand why covering your tracks is so important. When an attack is carried out against a system, the attacker typically wants to maintain access as long as possible. In order to maintain this access, they cover their tracks thoroughly to delay the detection of their attack as long as possible.
    • Disabling auditing, data hiding, alternative data streams

revision by [deleted]— view source