How to Use a Cheat Sheet

A cheat sheet is a comprehensive collection of the terms and concepts listed to trigger the memory mainly before an exam. Memorization is a difficult task when you have to cover loads of various concepts, and cheat sheets are used as handbooks to refer to when refreshing your memory regarding those concepts.

There is a difference between a cheat sheet and a proper study guide. A study guide covers all aspects of how you need to study in order to pass an exam. A cheat sheet on the other hand is a document that has short descriptions, meanings and basic pointers that help keep necessary terms and concepts on your fingertips.

The best use of a cheat sheet may be to read and recover the concepts already covered, and write it manually on a separate book, at least three times, so you no longer need a cheat sheet. When you start this exercise, remember to keep adding additional information around those listed concepts to make it easier to memorize.

Basics

5 Phases to a penetration test:

Reconnaissance
Scanning & Enumeration
Gaining Access
Maintaining Access
Covering Tracks

Attack Types

OS: Attacks that target preset OS settings
App level: Attacks via application codes
Shrink Wrap: Exploiting unpatched code and scripts
Misconfiguration: configuration not carried well

Legal

18 U.S.C 1029 & 1030
RFC 1918 - Private IP Standard
RFC 3227 - Collecting and storing data
ISO 27002 - InfoSec Guidelines
CAN-SPAM - email marketing
SPY-Act - License Enforcement
DMCA - Intellectual Property
SOX - Corporate Finance Processes
GLBA - Personal Finance Data
FERPA - Education Records
FISMA - Gov Networks Security Std

CVSS - Common Vulnerability Scoring System
CVE - Common Vulnerabilities and Exposure

Reconnaissance

Definition

First in ethical hacking, it involves information gathering on targets. Foot-printing is a type of reconnaissance and involves mapping out at a high level.

Google Hacking:

operator: keyword additional search items
site: Search only within domain
ext: File Extension
loc: Maps Location
intitle: keywords in title tag of page
allintitle: Title can have any keywords
inurl: Url can have keywords anywhere
allinurl: Url can have any of the keywords incache: Search only in Google cache

DNS

Port 53 nslookup (UDP), Zone xfer (TCP)

DNS record types

Service (SRV): hostname & port number of servers
Start of Authority (SOA): Primary name server Pointer (PTR): IP to Hostname; for reverse DNS Name Server (NS): NameServers with namespace
Mail Exchange (MX): E-mail servers
CNAME: Aliases in zone. List multi services in DNS
Address (A): IP to Hostname; for DNS lookup DNS footprinting: whois, nslookup, dig

TCP Header Flags

URG: This indicates the data when sent out of band
ACK: Ack to, and after SYN
PSH: Forces delivery without concern for buffering
RST: Forces communications termination in both directions
SYN: Initial communications Parameters and sequence numbers
FIN: ordered close to communications

DHCP

Client —Discovers--> Server
Client ßOffers à Server
Client …. Request …> Server
Client <…Ack…> Server
IP is removed from pool

Cryptography

Symmetric Encryption

Key pairs required =

Symmetric Algorithms

DES: 56bit key (8bit parity); fixed block
3DES: 168bit key; keys ≤ 3
AES: 128, 192, or 256; replaced DES
IDEA: 128 bit key
Twofish: Block cipher key size ≤ 256bit
Blowfish: Rep. by AES; 64bit block
RC: incl. RC2→RC6. 2,040key, RC6 (128bit block)

Asymmetric Encryption

Public Key equals to Encrypt
Private Key equals to Decrypt

Asymmetric Algorithms

Diffie-Hellman: Key Exchange, used in SSL/IPSec
ECC: Elliptical Curve. Low process power/Mobile
El Gamal: != Primes, log problems to encrypt/sign
RSA: 2 x Prime 4,096bit. Modern std.

Hash Algorithms

MD5: 128bit hash, expres as 32bit hex
SHA1: 160bit hash. Required for use in US applications
SHA2: For separate hash 224, 256, 384, 512

Trust Models

Web of trust: Where certificates are signed by entities
Single Authority: Trust is based on CA and he is on the top
Hierarchical: CA at top. RA’s under to manage certs
XMKS - XML PKI System

Cryptography Attacks

Known Plain-text: Search plaintext for repeatable sequences. Compare to t versions. Ciphertext-only: Obtain several messages with same algorithm. Analyze to reveal repeating code.
Replay: Performed in MITM. System is fooled by repeating exchange in setting up a communication channels.

Digital Certificate

It is used when user identity needs to be verified = nonrepudiation
Format is identified by the version
Serial: Unique to each certificate, helps in identifying it.
Subject: Whoever/whatever being identified by certificate
Algorithm ID: Algorithm used
Issuer: Entity that verifies authenticity of certificate
Valid from/to: start and end dates that certificate is valid through
Key usage: Displays the purpose of certificate
Subject’s Public Key: self-explanatory
Optional fields: for example Issuer ID, Alt, Subject, Name etcetera

Scanning & Enumeration

ICMP Message Types

0: Echo Reply: Answer to Type 8 Echo Request
3: Destination Unreachable: No host/ network Codes
0 – Destination network unreachable
1 – Destination host unreachable
6 – Network unknown
7 – Host unknown
9 – Network administratively prohibited
10 – Host administratively prohibited
13 – Communication administratively prohibited
4: Source Quench: Congestion control message
5: Redirect: 2+ gateways for sender to use or the best route not the configured default gateway
Codes
0 – Redirect datagram for the network
1 – Redirect datagram for the host
8: Echo Request: Ping message requesting echo
11: Time Exceeded: Packet too long to be routed

CIDR

Method of representing IP Addresses
IPv4 Notation
/30 = 4 .255.252
/28 = 16 .255.240
/26 = 64 .255.192
/24 = 256 .255.0
/22 = 1024 .248.0
/20 = 4096 .240.0

Port Numbers

0 – 1023: Well-known
1024 – 49151: Registered
49152 – 65535: Dynamic

Important Port Numbers

FTP: 20/21
SSH: 22
Telnet: 23
SMTP: 25
WINS: 42
TACACS: 49
DNS: 53
HTTP: 80 / 8080
Kerbers: 88
POP3: 110
Portmapper (Linux): 111
NNTP: 119
NTP: 123
RPC-DCOM: 135
NetBIOS/SMB: 137-139
IMAP: 143
SNMP: 161/162
LDAP: 389
HTTPS: 443
CIFS: 445
RADIUS: 1812
RDP: 3389
IRC: 6667
Printer: 515, 631, 9100
Tini: 7777
NetBus: 12345
Back Orifice: 27374
Sub7: 31337

HTTP Error Codes
200 Series - OK
400 Series - Could not provide request
500 Series - Could not process request

Nmap:

Nmap is the de-facto tool for this pen-test phase

-sA: ACK scan
-sF: FIN scan
-sS: SYN
-sT: TCP scan
-sI: IDLS scan
-sn: PING sweep
-sN: NULL
-sS: Stealth Scan
-sR: RPC scan
-Po: No ping
-sW: Window
-sX: XMAS tree scan
-PI: ICMP ping
-PS: SYN ping
-PT: TCP ping
-oN: Normal output
-oX: XML output
-A OS/Vers/Script -T<0-4>: Slow - Fast

Scan Types

TCP: 3 way handshake on all ports.
*Open = SYN/ACK, Closed = RST/ACK
SYN: SYN packets to ports (incomplete handshake).
*Open = SYN/ACK, Closed = RST/ACK
FIN: Packet with FIN flag set.
*Open = no response, Closed = RST
XMAS: Multiple flags are set. For example (PSH, FIN and URG) Binary Header: 00101001
*Open = no response, Closed = RST
ACK: Used for Linux/Unix systems
*Open = RST, Closed = no response
IDLE: It means a Spoofed IP, and SYN flag is designed for stealth.
*Open = SYN/ACK, Closed = RST/ACK
NULL: No flags set. Responses vary by OS.
These scans are designed specifically for Linux/ Unix machines.

NetBIOS

nbsat
nbtstat -a COMPUTER190
nbtstat -A 192.168.10.12 remote table
nbtstat -n local name table
nbstat -c local name cache
nbtstat -r -purge name cache
nbtstat -S 10 which means ses stats are displayed every 10 seconds
1B == master browser for the subnet
1C == domain controller
1D == domain master browser

SNMP

Uses a community string for PW SNMPv3 encrypts the community strings.

Sniffing and Evasion

IPv4 and IPv6

IPv4 == unicast, multicast, and broadcast
IPv6 == unicast, multicast, and anycast.
Both unicast and multicast in IPv6 include site local, link local and global.

MAC Address

First half is 3 bytes (24bits) = Original UID
Second half = unique number

NAT (Network Address Translation)

Basic NAT is a one-to-one mapping where each internal IP is equal to a unique public IP.
NAT Overload (PAT) is equal to a port address translation. Typically used as the cheaper option.

Stateful Inspection

It is concerned with the connections and doesn't sniff every packet. It only verifies if it is a known connection, and then passes it along.

HTTP Tunneling

It is the crafting of wrapped segments through a port rarely filtered by the Firewall (e.g., 80) to carry payloads that may otherwise be blocked.

Snort IDS

It has 3 modes
Packet Sniffer: Reads IP Packets shows on the console
Packet logger: Logs IP Packets
Network IDS: Inspects IP packets using rulesets
Span port: port mirroring
False Negative: Occurs when IDS (Snort in this case) incorrectly reports stream clean

IDS Evasion Tactics

Slow down the network
Flooding the network to sneak through in the mix without an alarm or getting caught
Fragmentation

Attacking a System

C|EH Password Rules

Should not have user’s name in the password. Minimum of 8 characters are a must.
At least three out of four complexity components like Special characters, Numbers, Uppercase, Lowercase must be used.

LM Hashing

7 spaces hashed: AAD3B435B51404EE

Attack types

Passive Online: Sniffing wire that intercepts replay, cleartext password or MITM
Active Online: Password guessing
Offline: Steal copy of Password, also called the SAM file. Uses a separate system to make cracking efforts
Non-electronic: Social Engineering

Sidejacking

Target and steal the cookies exchanged between systems and perform a replay style attack using them.

Authentication Types

Type 1: When you know something
Type 2: When you have something
Type 3: When you are something

Session Hijacking

When an attempt is made to steal a whole established session
1. Targeting and sniffing traffic between client and server
2. Traffic monitoring and predicting sequence
3. Desynchronize session with client
4. Take over session by predicting session token
5. Inject packets to the target server

Kerberos

It uses both symmetric and asymmetric encryption technologies and involves:
KDC: Key Distribution Centre
AS: Authentication Service
TGS: Ticket Granting Service
TGT: Ticket Granting Ticket
Process
1. Client approaches KDC (who has AS and TGS) for ticket to authenticate throughout the network. This request is in clear text.
2. A secret key is server’s response, and it is hashed by the password copy that is kept on AD server.
3. TGT is then sent back to server and requests TGS if decrypted by the user.
4. Client can log on and access network resources as aresponse is generated by server with a ticket

SAM File

C:\Windows\system32\config

Registry

Registry setting is made by two elements: a key that points to a location, and a value that defines key setting.
Here are the root level keys: HKEY_LOCAL_MACHINE – Hard/software information
HKEY_CLASSES_ROOT – File associations, Object Linking and Embedding classes information HKEY_CURRENT_USER – Profile info on current user
HKEY_USERS –Information of user config for all users that are active
HKEY_CURRENT_CONFIG – pointer to \hardware Profiles\

Social Engineering

Human based attacks

Dumpster diving
Impersonation
Technical Support
Should Surfing
Tailgating or Piggybacking

Computer based attacks

Phishing – Scamming via emails
Whaling – Where CEO’s are targeted
Pharming - Twin websites for misleading

Types of Social Engineers

Insider Associates: Employees who have limited authorized access
Insider Affiliates: Insiders who have some affiliation and can spoof the identity of the Insider
Outsider Affiliates: Outsider who use a weak and vulnerable access point

Physical Security

3 major categories of Physical Security Measures

Physical measures: include all things that you can touch, taste and smell
Technical measures: Include all things technical like smart cards and biometrics
Operational measures: Include policies and procedures designed to maintain physical security

Web-based Hacking

CSRF - Cross Site Request Forgery

Dot-dot-slash Attack

It is a different kind of Unicode, also understood to be an un-validated input attack

Start your 30-day FREE TRIAL with QuickStart.com and begin your CEH certification journey today!

SQL Injection attack types

Union Query: It uses the UNION command and returns the target Db union with a crafted Db Tautology: It is a term used to explain a Db’s behavior while deciding if a statement is correct.
Blind SQL Injection:
Called blind because it is a trial and error methodology that gives no responses.
Error based SQL injection:
An enumeration technique where poorly constructed commands are injected so Db can show table names and other relevant information.
Buffer Overflow:
Occurs when data written to a buffer exceeds from its designated storage space. Data corruption is the result. It is caused by a bug, or by insufficient bounds checking, or a program code configured poorly.
Stack
Heap
NOP Sled
Dangerous SQL functions

Wireless Network Hacking

Wireless Sniffing

Similar to sniffling wire, it requires a compatible wireless adapter having promiscuous mode 802.11 Specifications
WEP: RC4 with 24bit vector. With 40bit  or 104bit keys
WPA: RC4 supports longer keys; 48bit IV WPA/TKIP: Changes IV each frame and key mixing
WPA2: AES + TKIP features; 48bit IV
Bluetooth Attacks
Bluesmacking: DoS against a device
Bluejacking: Includes messages sent to/from devices
Bluesniffing: Involves sniffing for Bluetooth
Bluesnarfing: Stealing data from a device via Bluetooth

Trojans and Other Attacks

Virus Types

Boot: Impossible to remove, it moves boot sector to a different location.
Camo: Named after camouflage, it disguises itself as legit files.
Cavity: Like in teeth, it finds empty areas in exe to hide.
Macro: it is written in Macro Language of MS Office
Multipartite: Makes attempts to boot sector and infect files simultaneously.
Metamorphic virus: When infecting a new file, it rewrites itself.
Network: Spreads with the help of shared networks.
Polymorphic Code virus: Uses built-in polymorphic engine to encrypt itself. Hard to detect due to constantly changing signature. Shell virus: Runs at the start of an application, it is wrapped around the application code
Stealth: Copies itself to deliver payload and hides itself in files.

DOS Types:

SYN Attack: Thousands of SYN packets are sent containing a false IP address to trigger target attempt with SYN/ACK response. As a result, all machine resources get engaged.
SYN Flood: Thousands of SYN packets are sent but none of the returned SYN/ACK packets are responded, with an intention to have target run out of available connections.
ICMP Flood: ICMP Echo packets are sent containing fake source address with intention to have target attempt to respond. As a result, the target reaches a limit of packets sent per second.
Application level: Morph the attack requests and mimic flash crowds, sending legitimate heavy traffic to a web application
Smurf: Involves large number of pings sent to the subnet’s broadcast address. Source IP is spoofed to the target and ping responses are sent to target by Subnet.
Fraggle Attack: Uses UDP, but otherwise similar to Smurf.
Ping of Death: ICMP message is fragmented and send to target. On target’s end, the ICMP fragments that are reassembled result in ICMP packet to be larger than the max size crashing the system.

Viruses

Heartbleed:
Heartbleed is a bug which allows attacker to read memory of systems that are protected by vulnerable versions in OpenSSL software. It leads MITM to alter communication and steal information protected under normal conditions by SSL/TLS encryption.
POODLE:
Padding Oracle on Downgraded Legacy Encryption, it targets obsolete SSLv3 protocol. Shellshock:
Empowers those without permission to executes commands and codes inside the ‘ ‘ by exploiting a vulnerability. Also known as privilege escalation vulnerability.  
ILOVEYOU: Originated in the Philippines, it is a worm that uses emails and put I Love you in the subject, presenting itself as a love letter. Most well-known and extremely notorious
MELISSA: Email virus, also classified as mass-mailing virus that targeted MS applications like Word and Outlook

Linux Commands

Linux File System

/ -Root
/var -Variable Data / Log Files
/bin -Binaries / User Commands
/sbin -Sys Binaries / Admin Commands
/root -Home dir for root user
/boot -Stores kernel
/proc -Direct access to kernel
/dev -Hardware storage devices
/mnt -Mount devices

Identifying Users and Processes

INIT process ID              1
Root UID, GID               0
Accounts of Services 1-999
All other users               Above 1000

Permissions

4 - Read
2 - Write
1 - Execute
User/Group/Others
764 - User>RWX, Grp>RW, Other>R

Snort

Action protocol address port -> address port (option:value; option:value)
Alert tcp 10.0.0.1 25 -> 10.0.0.2 25 (msg:”Sample Alert”; sid:1000;)

Command Line Tools

NMap
nmap -sT -T5 -n -p 1-100 10.0.0.1

Netcat
nc -v -z -w 2 10.0.0.1

TCPdump
tcpdump -i eth0 -v -X ip proto 1

Snort
snort -vde -c my.rules 1

hping
hping3 -I -eth0 -c 10 -a 2.2.2.2 -t 100 10.0.0.1 

iptables
iptables -A FORWARD -j ACCEPT -p tcp —dport 80

Tools of Trade

Vulnerability Research

National Vuln Db
Eccouncil.org
Exploit-db

Foot-printing

Website Research Tools
Netcraft
Webmaster
Archive

DNS and Whois Tools
Nslookup
Sam Spacde
ARIN
WhereisIP
DNSstuff
DNS-Digger

Website Mirroring
Wget
Archive
GoogleCache

Scanning and Enumeration

Ping Sweep
Angry IP Scanner
MegaPing

Scanning Tools
SuperScan
NMap (Zenmap)
NetScan Tools Pro
Hping
Netcat

War Dialing
THC-Scan
TeleSweep
ToneLoc WarVox

Banner Grabbing
Telnet
ID Serve
Netcraft
Xprobe

Vulnerability Scanning
Nessus
SAINT
Retina
Core Impact
Nikto

Network Mapping
NetMapper
LANState
IPSonar

Proxy, Anonymizer, and Tunneling
Tor
ProxySwitcher
ProxyChains SoftCab
HTTP Tunnel
Anonymouse

Enumeration
SuperScan
User2Sid/Sid2User
LDAP Admin
Xprobe
Hyena
SolarWinds

SNMP Enumeration
SNMPUtil
SNMPScanner

System Hacking Tools

Password Hacking
Cain
John the Ripper
LCP
THC-Hydra
ElcomSoft
Aircrack
Rainbow Crack
Brutus
KerbCrack

Sniffing
Wireshark
Ace
KerbSniff
Ettercap

Keyloggers and Screen Capture
KeyProwler
Ultimate Keylogger
All In One Keylogger
Actual Spy
Ghost
Hidden Recorder
Desktop Spy
USB Grabber

Privilege Escalation
Password Recovery Boot Disk
Password Reset
Password Recovery
System Recovery

Executing Applications
PDQ Deploy
RemoteExec
Dameware

Spyware
Remote Desktop Spy
Activity Monitor
OSMonitor
SSPro
Spector Pro

Covering Tracks
ELsave
CCleaner
EraserPro
Evidence Eliminator

Packet Crafting/Spoofing
Komodia
Hping2
PackEth
Packet Generator
Netscan
Scapy
Nemesis

Session Hijacking
Paros Proxy
Burp Suite
Firesheep
Hamster/Ferret
Ettecap
Hunt

Cryptography and Encryption

Encryption
True Crypt
BitLocker
DriveCrpyt

Hash Tools
MD5 Hash
Hash Calc

Steganography
XPTools
ImageHide
Merge Streams
StegParty
gifShuffle
QuickStego
InvisibleSecrets
EZStego
OmniHidePro

Cryptanalysis
Cryptanalysis
Cryptobench

Sniffing

Packet Capture
Wireshark
CACE
tcpdump
Capsa
OmniPeek
Windump
dnsstuff
EtherApe

Wireless
Kismet
Netstumbler

MAC Flooding/Spoofing
Macof
SMAC

ARP Poisoning
Cain
UfaSoft WinARP
Attacker

Wireless

Discovery Kismet
NetStumbler
Insider
NetSurveyor

Packet Sniffing
Cascade Pilot
Omnipeek
CommView
Capsa
WEP/WPA Cracking
Aircrack
KisMac
Wireless Security Auditor
WepAttack
WepCrack
coWPatty

Bluetooth
BTBrowser
BH Bluejack
BTScanner
Bluesnarfer

Mobile Device Tracking
Wheres My Droid
Find My Phone
GadgetTrack
iHound

Trojans and Malware

Wrappers
Elite Wrap

Monitoring Tools
HiJackThis
CurrPorts
Fport

Attack Tools
Netcat
Nemesis

IDS
Snort

Evasion Tools
ADMutate
NIDSBench
IDSInformer
Inundator

Web Attacks

Wfetch
Httprecon
ID Serve
WebSleuth
Black Widow
CookieDigger
Nstalker
NetBrute

SQL Injection
BSQL Hacker
Marathon
SQL Injection Brute
SQL Brute
SQLNinja
SQLGET