CEH Cheat Sheet

Ethical Hacking is a term also defined as Penetration Testing. It is a procedure used to detect the flaws and vulnerabilities in computer systems and their security. The certification offers knowledge of rising security threats and the related defensive measures concerning the most recent network and computing technologies. Another reason you need this certification is because it gives you access to more than 2,200 hacking tools with real-time situations to experience with.

Keeping in view the rising numbers of cyber-attacks and vital personal information at risk, professionals working in the field of network and data security must get CEH certification training. Certified Ethical Hackers are in high demand. CEH certification would provide career advancement opportunities with lucrative salaries.

In this article, we will be studying the CEH Cheat Sheet to provide you a handy preparation guide for this certification exam.

Terms and Definitions

Before going into detail, you must get yourself familiar with the following terms and their meanings:

Term

Definition / Meaning

Hax0r

Hacker

Uberhacker

Good hacker

L33t Sp33k

Swapping characters to avoid filters

Full Disclosure

Revealing vulnerabilities

Hacktivism

Hacking for a reason

Suicide Hacker

Hopes to be traced and caught

Ethical Hacker

Hacks for protective measures

Penetration Test

Define true security risks

Vulnerability Assessment

The idea of security levels

Vulnerability Researcher

Tracks down weaknesses

White Hat

Hacks with prior permission

Grey Hat

Considers full disclosure

Black Hat

Hacks without permission

White Box

A test is known to everyone

Grey Box

A test with a precise goal but undefined means

Black Box

A test that no one knows is happening

Threat

Potential incident

Vulnerability

Weakness

Exposure

Approachability

Exploit

An act of attacking

TOE

Target of Evaluation

Rootkit

Hides processes that generate backdoors

Botnet

A robotic network that can be controlled remotely

Buffer Overflow

Hijack the execution stages of a program

Shrinkwrap Code

Reused code with weaknesses

Start Your 7-Day FREE TRIAL with InfoSec Academy.

Legal Issues

United States

Computer Fraud And Abuse Act

 

·         18 U.S.C. 1029 Possession of Access Devices

 

·         18 U.S.C. 1030 Fraud and Related Activity in Connection with Computers

Addresses hacking activities

CAN-SPAM

Defines legal email marketing

SPY-Act

Protects vendors monitoring for license implementation

DMCA - Digital Millennium Copyright Act

Intellectual property protection

SOX - Sarbanes Oxley Controls

Corporate financial processes

GLBA - Gramm-Leech Bliley Act Controls

Personal financial data

HIPPA - Health Information Portability and Protection Act

Privacy of medical records

FERPA - Family Educational Rights and Privacy Act

Protection of education records

FISMA - Federal Information Security Management Act

Mandatory security standards for Government networks

 

Europe

Computer Misuse Act of 1990

Caters hacking activities

Human Rights Act of 1990

Guarantees privacy rights

 

Domain Name Service

DNS plays a vital role in the foot-printing of a target network. DNS is a potential target for several types of attacks.

Regional Internet Registries

APNIC

Asia Pacific

ARIN

North America

LACNIC

Southern and Central America, Caribbean

RIPE NCC

Europe, Middle East, Central Asia

AFRINIC

Africa

 

Attacks Against DNS Servers

Zone Transfers

A shortcut of information gathering

Zone Poisoning

Breaching of the primary server and altering the zone file to corrupt the domain

Cache Poisoning

Sends wrong answers to cache servers

Reflection DoS

Send false requests into a chain of servers which run repetitive queries

 

Google Hacking

Google is a tool used by hackers to enumerate a target without even reaching it. The advanced search syntax is fairly easy to use, but it can often be peculiar. A lot of practice and experimentation is needed for this.

Google Advanced Operators

site

Limits keywords to search within a specific domain

ext

File extension

loc

Maps location

intitle

Keywords in page’s title tag

allintitle

Possibility of any of the keywords in the title

inurl

Keywords in the URL

allinurl

Possibility of any of the keywords in the URL

incache

Searches only Google cache

 

Combinations of Keyword

Password, passlist, username, user

Login, logon

Administrator, Admin, Root

Prototype, Test, Example

 

Nmap Scan Types

Nmap is the default tool for foot-printing networks. It enables you to find live hosts, access points, fingerprinting operating systems, and verifying services. It also contains important IDS evasion capabilities.

Discovery scans

Option

Description

-sP Ping

-sP Ping

-sL List Scan

-sL List Scan

-sO Protocol

-sO Protocol

-sV Verify

-sV Verify

 

 

 

 

Normal scans

 

Windows

Closed

Option

Desc

Flags

Open

Closed

Open

Closed

-sT

Connect

S

SA

RA

SA

RA

-sS

Stealth

S

SA

RA

SA

RA

 

Inverse scans

 

Windows

Closed

Option

Desc

Flags

Open

Closed

Open

Closed

-sN

Null

-

RA

RA

-

RA

-sX

Xmas

UPF

RA

RA

-

RA

-sF

Fin

F

RA

RA

-

RA

-sA

Ack

A

R

R

R

R

-sW

Window

A

R

R

R

R

Subscribe to LITE Subscription with InfoSecAcademy.io and enjoy access to information security courses, learning analytics and access to expert community, ABSOLUTELY FREE. 

TCP Flags

This test will have situations that necessitate you to determine an understanding of TCP behavior comprising Nmap scan types. You should be aware of these combinations well.

TCP Flags

0 0 URG ACK PSH RST SYN FIN

TCP Handshake (Open Port)

TCP Handshake (Closed Port)

NMap Stealth Scan (Open Port)

NMap Xmas Scan (Open Port)

NMap ACK Scan

 

Ports & Protocols

Protocols

1

ICMP

6

TCP

17

UDP

47

GRE

50

AH

51

ESP

 

 

Ports

20 - 21

FTP

22

SSH

23

Telnet

25

SMTP

42

WINS

53

DNS

80 - 81 -8080

HTTP

88

Kerberos

110

POP3

111

Portmapper (Linux)

119

NNTP

135

RPC-DCOM

137 - 138 - 139

SMB

143

IMAP

161 - 162

SNMP

389

LDAP

445

CIFS

1080

SOCKS5

3389

RDP

6667

IRC

14237

Palm Pilot Remote Sync

 

Trojan Horses

7777

Tini

12345

NetBus

27374

Back Orifice

31337

Sub7

 

Enumeration

Enumeration is used for the enlistment of policies, user accounts, shares, and other resources. This phase happens just before weakness assessment and helps the attack put together the best approach for the attainment of access.

Protecting Information Disclosure

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous

 

“0” is the default for Windows 2000 and provides everything

“1” is the default for Windows 2003 and provides less

“2” is the maximum safe setting but makes a machine less cooperative with others

 

 

Microsoft SIDs

S-1-5-21-<

>-500

In-built Local administrator

S-1-5-21-< 

>-501

In-built Local guest

S-1-5-21-< 

>-512

In-built Domain administrator

S-1-5-21-<

>-1000

Anything above 1000 is users that have been created

 

Ports involved with enumerations attacks

 

111

Linux Portmapper Service

42

WINS

88

Kerberos

135

Windows RPC-DCOM

137

NetBIOS Name Service

138

NetBIOS Datagram Service

139

NetBIOS Sessions

161

SNMP Agent

162

SNMP Traps

389

LDAP

445

CIFS (Common Internet File System)

 

Password cracking

This test will have situations that necessitate you to determine an understanding of TCP behavior. You should be aware of these combinations well.

Password cracking techniques

Guessing

most effective, assuming information assembly beforehand

Dictionary

encoded list of words

Brute force

Trying every potential arrangement of characters

Hybrid

A combination of all other attacks

 

LM Hashes

Eventually, every password is of 14 characters long, split into two seven characters each

Passwords that are less than seven characters are easily known in the SAM file (hash ends in 404EE)

Rainbow Tables

"Time / Memory Tradeoff""

Uses lesser memory than a lookup and lesser computing than a brute force.

Salting

The hash is a way to contest rainbow tables.

 

Cracking Effort

Weak passwords

can be resolved very easily

Strong passwords

May take the lifetime of numerous universes to resolve

Rainbow Tables

Resolve the "Time / Memory Trade-Off"

DNA

Distributed Network Architecture

 

Popular Cracking Tools

John the Ripper

A command-line tool that runs under both Windows and Linux

Lophtcrack

Profitable tool

ophtcrack

An open-source tool that supports rainbow tables

Cain and Abel

A flexible commanding tool that then snuffles and cracks passwords of many types

 

Trojans and Malware

The official definition is:

An authentic application that has been improved with malicious code. A Trojan horse is a social engineering technique. It conceals as an authentic download and inserts the victim's host with a contact point or a client that can link outbound to a server waiting remotely. They don't necessarily exploit a weakness unless license escalation is necessary. They offer a command set for whoever connects to them that includes: File browsers, key loggers, webcam viewers, and many additional tools.

Terms

Wrapper or Binder

It is used to combine a malicious binary and an authentic program

Rootkit

It can be installed via Trojan, used to hide procedures that create a way in access

HTTP Trojan

Reverses a connection outbound through an HTTP or SHTTP tunnel

Netcat

It's not a Trojan, but regularly used in Trojan code to set up the listening socket

Hoax

Many legit tools are rumored to be Trojans but might not be

Key logger

It records the keystrokes and saves them in a log

 

Famous Trojans

Tini

Small 3Kb file, uses port 7777

Loki

Used ICMP as a channeling protocol

Netbus

One of the first RATs (Remote Authentication Trojan)

Sub 7

Written in Delphi, extended on what Netbus had demonstrated

Back Orifice

First modular malware, had the abilities to be expanded on by external authors

Beast

All in one Client / Server binary

MoSucker

The client can select the infection method for each binary

Nuclear RAT

Reverse linking Trojan

Monkey Shell

Provides a powerful shell setting that can reverse networks and encrypt commands

Take our CEH Bootcamp or subscribe to "Learn" subscription at InfoSecAcademy.io and start your 7-day FREE TRIAL today!

Deleting Trojans

netstat / fport

Command-line tools for viewing exposed ports and networks

tcpview

GUI tool for viewing open ports and connections

Process Viewer

GUI tool for displaying open processes including child processes

Autoruns

Lists all programs that will run on startup and where they are termed from

Hijack

It will show a list of rare registry entries and files on the drive

Spybot S&D

Originally volunteer supported scanning and revealing tool

 

Virus Trivia

It’s not essential to know all 40k or all other malware variants that have been discovered. But there are a few that are important for demonstrating the skills of this method of attack.

Types of virus

Boot Virus

Boot sector of floppies or hard disks is infected

Macro Virus

It is written in Microsoft Office Macro language

Network Virus

It spreads via network shares

Stealth Virus

It hides and copies itself out to deliver a payload

Polymorphic Virus

It encodes itself

Cavity Virus

It hides in the empty areas of executable

Tunneling Virus

It traces interceptor programs that observe OS Kernel requests

Camouflage Virus

Camouflage themselves as legit files

Multipartite Virus

Infects via multiple paths

Metamorphic Virus

Modify itself

 

Famous virus

Elk Cloner

First virus

Morris

First worm

I Love You

VBScript worm sent through email

Melissa

Macro virus

Klez

Mass mailer with its SMTP engine

Slammer

Targets SQL server, the total size of 376 bytes

MyDoom

Mass mailer uses port 3127, attacks the host's file

MonteCarlo

Memory resident, copies to the end on .exe files

 

 

 

Sniffing

The most influential attack tool is Social Engineering. No equipment or technology is required, and often negligible expense. Awareness and proper user education can prevent it, and even then, errors in judgment can still exist.

Methods for defeating a switch

Admin the switch

By guessing the password for the switch, a port can be positioned into monitor mode

MAC Spoofing

Setting the MAC address of a NIC to the same value as another

MAC Flooding

CAM table of the switch can be Overpower, so it converts to hub mode

ARP Poisoning

Giving incorrect information into the ARP caches of two or more endpoints.

 

Wireshark command-line tools

tshark

It is the command-line version of Wireshark

dumpcap

It captures traffic

capinfos

It reads a capture file and returns statistics about it

editcap

It edits or translates the format of capture files

mergecap

It merges multiple capture files into one file

text2pcap

It generates a capture file from an ASCII hexdump of packets

tcpflow

It extracts data torrents from dump files

tcptrace

It analyzes TCP conversations

tcpreplay

It can resend capture packets

 

MAC Addresses

An understanding of hardware addresses is required to sniffing and crushing Ethernet switches. Local attacks involve too many risks; that’s why Intrusion Detection Systems are observing for too much ARP traffic or strange MAC addresses.

The MAC 48 Format

A Media Access Control address is 48 bits. The vendor code consists of the first 3 bytes of the MAC, and the other three bytes are arbitrarily assigned.

A broadcast MAC address is

FF: FF: FF: FF: FF: FF

Addresses can be assigned in two ways

BIA - Burned in Address

OUI - Organizationally Unique Identifier

Internet Protocol

For a delivery between networks, internet protocol is in charge of packaging datagrams. It is a "best-effort" protocol with no correction. For more information, read RFC 791.

Internet Control Message Protocol

It generates message datagrams that can be exchanged by network hosts for troubleshooting, error reporting, and informatio

User Datagram Protocol

User Datagram Protocol is a modest fast transport protocol that is used for its low overhead in circumstances where error correction and flow control is not needed, such as short bursts of messages. UDP is tough to firewall off successfully because it is outlawed.

Transmission Control Protocol

TCP surely provides a layer of 5-7 messages for transport and flow control. It includes IP, ICMP, and UDP, and it is difficult to understand this protocol critically: Scanning, Firewalls, Intrusion Detection, and various types of DoS attacks.

Social Engineering

It is the most commanding attack tool. No equipment or technology is required, and often negligible expense.

The principles of Social Engineering

Authority

An intimidating presence

Scarcity

Create the perception of loss or lack of access to a resource

Liking

Charm and charisma

Reciprocation

The victim believes they owe the attacker a favor

Consistency

Appealing the victim's true feelings and opinions

Social Validation

Compliments and praise

 

Types of Social Engineers

Insider Associates

They have limited certified access and escalate rights from there.

Insider Affiliates

They are insiders by affiliation, and they spoof the identity of the insider.

Outsider Affiliates

Are non-trusted outsiders that use an access point that was left open

Start Your 7-Day FREE TRIAL with InfoSec Academy.

DoS and DDoS

Awkward and difficult attacks are Denial of Services and Distributed Denial of Service. They are exceptionally difficult to avoid from being attempted. The best defense is a well-designed network that is hard to overcome.

DoS Methods

Buffer Overflows

It crashes applications or services

Smurf

Bluffed traffic sent to the broadcast address of a network

Fraggle

UDP version of the Smurf, typically bouncing Charge traffic off Echo ports

Ping of Death

Packet larger than the 64k limit

Teardrop

Offset values modified to cause fragments to overlap during reassembly results in short packet

Unnamed

Equalizes values modified to cause gaps between fragments and results in long packets

Syn Flood

SYN flags sent to open ports, handshake not completed

Winnuke

Sends TCP traffic with the URG flag set, causes maximum consumption of CPU

 

Dos Tools

Jolt2

It overflows with illegal traffic results in maximum CPU utilization

Land and La Tierra

It performs teardrop and land attacks

Targa

It offers a menu of several DoS attacks

Blast20

It is also considered to be a web server load tester

Crazy Pinger

ICMP flooder

UDP Flood

UDP flooder is written by Found stone

 

DDos Attacks

Botnets - Command and Control Center (C & CC). It communicates with "Handlers," which in term communicate with Zombies. The infected machines with malware are handlers and zombies. The C&CC is either a distributed system of infected machines or can even be a chat room on IRC.

DDoS Tools

Trinoo

The very first to reveal "Master/slave" DDoS attacks

Tribal Flood Network

It could launch several DoS attacks from scattered positions at the same time

TFN2K

Bug fixes and updates to the original TFN

Stacheldraht

Means "Barbed Wire" in German

Agobot

A modular IRC bot, many derivatives have been created from this code

Nuclear Bot

Developed by "Nuclear Winter Crew" and written in Delphi, many features

 

Buffer Overflows

The detection of BO attacks and understanding BO scripts is very critical and involves several basic concepts.

Terminology

Stack

Memory place for short term processing

Heap

Memory space for long term program execution

Push

"Push" new instructions onto the stack

Pop

"Pop" instructions off the stack when processed

EIP

Execute Instruction Pointer, the memory address of next instruction to be executed

NOOP

A "do nothing" instruction that wastes a clock cycle

NOOP Sled

Placed in a buffer overflow exploit to aid in running the payload

 

HTTP and URLs

It is the protocol for the World Wide Web. The client sends a request to the server, which in turn passes the request to an application. Several possible attack types are in exchange since all of these components can have weaknesses.

HTTP Error Codes

200 Series

Everything is OK

400 Series

Could not provide the requested resource (page not found, moved, authentication failure)

500 Series

Could not process request (script error, database connection error)

 

Wireless Technology

Wireless Security

WEP

Uses RC4 for the stream cipher with a 24b initialization vector Key sizes are 40b or 104b

WPA

Uses RC4 for the stream cipher but supports longer keys

WPA/TKIP

Changes the IV with each frame and includes key mixing

WPA2

Uses AES as the stream cipher and includes all the features of TKIP

OSA

Open Systems Authentication is a non-protected AP that broadcasts its SSID

PSK

An encryption standard protects Pre-Shared Key

 

Terms and Tools

Wardriving

Driving around with portable equipment and locating wireless networks

Warchalking

Writing symbols on the sidewalk or buildings communicating found networks

Jamming

Producing white noise signals that overpower the Wifi networks

Netstumbler

Finds wireless networks, SSIDS, and channels

Ministumbler

for the pocket pc

Macstumbler

for the Macintosh

AirPcap

Hardware tools for wardriving, WEP cracking and sniffing

Airopeek

Sniffer that specializes in wireless traffic

AircrackNG

WEP cracker

Airsnort

Another WEP cracker

CoWPAtty

WPA offline brute force cracker

 

Cryptography

Cryptography is assumed pre-requisite and still a good idea to review some core terminologies.

Terms and Definitions

Plaint Text

The data set before encryption

Cipher Text

The result of encryption

Cryptanalysis

Attempting to "break" and encryption algorithm

Cryptography

Obscuring the meaning of a message

Steganography

Hiding a message within another

Salt

Ensures different keys are created each time

Initialization Vector

Change the characteristics of the key each time it is reused

 

Types of Cryptography

Symmetric

Single key both encrypts and decrypts

Asymmetric

 

A pair of keys, public and private are mathematically associated One encrypts and the other decrypts, the private key is always a secret

One-Way Hash

 

Cannot be reversed, the only brute-forced Used to represent data,

Sometimes called "Digital Fingerprint" or "Message Digest."

 

“For more guidance on CEH Certifications, Chat with our experts at InfoSec Academy.”

Start Your 7-Day FREE TRIAL with InfoSec Academy.