CEH Cheat Sheet
Ethical Hacking is a term also defined as Penetration Testing. It is a procedure used to detect the flaws and vulnerabilities in computer systems and their security. The certification offers knowledge of rising security threats and the related defensive measures concerning the most recent network and computing technologies. Another reason you need this certification is because it gives you access to more than 2,200 hacking tools with real-time situations to experience with.
Keeping in view the rising numbers of cyber-attacks and vital personal information at risk, professionals working in the field of network and data security must get CEH certification training. Certified Ethical Hackers are in high demand. CEH certification would provide career advancement opportunities with lucrative salaries.
In this article, we will be studying the CEH Cheat Sheet to provide you a handy preparation guide for this certification exam.
Terms and Definitions
Before going into detail, you must get yourself familiar with the following terms and their meanings:
|
Term |
Definition / Meaning |
|
Hax0r |
Hacker |
|
Uberhacker |
Good hacker |
|
L33t Sp33k |
Swapping characters to avoid filters |
|
Full Disclosure |
Revealing vulnerabilities |
|
Hacktivism |
Hacking for a reason |
|
Suicide Hacker |
Hopes to be traced and caught |
|
Ethical Hacker |
Hacks for protective measures |
|
Penetration Test |
Define true security risks |
|
Vulnerability Assessment |
The idea of security levels |
|
Vulnerability Researcher |
Tracks down weaknesses |
|
White Hat |
Hacks with prior permission |
|
Grey Hat |
Considers full disclosure |
|
Black Hat |
Hacks without permission |
|
White Box |
A test is known to everyone |
|
Grey Box |
A test with a precise goal but undefined means |
|
Black Box |
A test that no one knows is happening |
|
Threat |
Potential incident |
|
Vulnerability |
Weakness |
|
Exposure |
Approachability |
|
Exploit |
An act of attacking |
|
TOE |
Target of Evaluation |
|
Rootkit |
Hides processes that generate backdoors |
|
Botnet |
A robotic network that can be controlled remotely |
|
Buffer Overflow |
Hijack the execution stages of a program |
|
Shrinkwrap Code |
Reused code with weaknesses |
Start Your 7-Day FREE TRIAL with InfoSec Academy.
Legal Issues
United States
|
Computer Fraud And Abuse Act
· 18 U.S.C. 1029 Possession of Access Devices
· 18 U.S.C. 1030 Fraud and Related Activity in Connection with Computers |
Addresses hacking activities |
|
CAN-SPAM |
Defines legal email marketing |
|
SPY-Act |
Protects vendors monitoring for license implementation |
|
DMCA - Digital Millennium Copyright Act |
Intellectual property protection |
|
SOX - Sarbanes Oxley Controls |
Corporate financial processes |
|
GLBA - Gramm-Leech Bliley Act Controls |
Personal financial data |
|
HIPPA - Health Information Portability and Protection Act |
Privacy of medical records |
|
FERPA - Family Educational Rights and Privacy Act |
Protection of education records |
|
FISMA - Federal Information Security Management Act |
Mandatory security standards for Government networks |
Europe
|
Computer Misuse Act of 1990 |
Caters hacking activities |
|
Human Rights Act of 1990 |
Guarantees privacy rights |
Domain Name Service
DNS plays a vital role in the foot-printing of a target network. DNS is a potential target for several types of attacks.
Regional Internet Registries
|
APNIC |
Asia Pacific |
|
ARIN |
North America |
|
LACNIC |
Southern and Central America, Caribbean |
|
RIPE NCC |
Europe, Middle East, Central Asia |
|
AFRINIC |
Africa |
Attacks Against DNS Servers
|
Zone Transfers |
A shortcut of information gathering |
|
Zone Poisoning |
Breaching of the primary server and altering the zone file to corrupt the domain |
|
Cache Poisoning |
Sends wrong answers to cache servers |
|
Reflection DoS |
Send false requests into a chain of servers which run repetitive queries |
Google Hacking
Google is a tool used by hackers to enumerate a target without even reaching it. The advanced search syntax is fairly easy to use, but it can often be peculiar. A lot of practice and experimentation is needed for this.
Google Advanced Operators
|
site |
Limits keywords to search within a specific domain |
|
ext |
File extension |
|
loc |
Maps location |
|
intitle |
Keywords in page’s title tag |
|
allintitle |
Possibility of any of the keywords in the title |
|
inurl |
Keywords in the URL |
|
allinurl |
Possibility of any of the keywords in the URL |
|
incache |
Searches only Google cache |
Combinations of Keyword
|
Password, passlist, username, user |
|
Login, logon |
|
Administrator, Admin, Root |
|
Prototype, Test, Example |
Nmap Scan Types
Nmap is the default tool for foot-printing networks. It enables you to find live hosts, access points, fingerprinting operating systems, and verifying services. It also contains important IDS evasion capabilities.
Discovery scans
|
Option |
Description |
|
-sP Ping |
-sP Ping |
|
-sL List Scan |
-sL List Scan |
|
-sO Protocol |
-sO Protocol |
|
-sV Verify |
-sV Verify |
Normal scans
|
|
Windows |
Closed |
||||
|
Option |
Desc |
Flags |
Open |
Closed |
Open |
Closed |
|
-sT |
Connect |
S |
SA |
RA |
SA |
RA |
|
-sS |
Stealth |
S |
SA |
RA |
SA |
RA |
Inverse scans
|
|
Windows |
Closed |
||||
|
Option |
Desc |
Flags |
Open |
Closed |
Open |
Closed |
|
-sN |
Null |
- |
RA |
RA |
- |
RA |
|
-sX |
Xmas |
UPF |
RA |
RA |
- |
RA |
|
-sF |
Fin |
F |
RA |
RA |
- |
RA |
|
-sA |
Ack |
A |
R |
R |
R |
R |
|
-sW |
Window |
A |
R |
R |
R |
R |
Subscribe to LITE Subscription with InfoSecAcademy.io and enjoy access to information security courses, learning analytics and access to expert community, ABSOLUTELY FREE.
TCP Flags
This test will have situations that necessitate you to determine an understanding of TCP behavior comprising Nmap scan types. You should be aware of these combinations well.
TCP Flags
0 0 URG ACK PSH RST SYN FIN
TCP Handshake (Open Port)
TCP Handshake (Closed Port)
NMap Stealth Scan (Open Port)
NMap Xmas Scan (Open Port)
NMap ACK Scan
Ports & Protocols
Protocols
|
1 |
ICMP |
|
6 |
TCP |
|
17 |
UDP |
|
47 |
GRE |
|
50 |
AH |
|
51 |
ESP |
Ports
|
20 - 21 |
FTP |
|
22 |
SSH |
|
23 |
Telnet |
|
25 |
SMTP |
|
42 |
WINS |
|
53 |
DNS |
|
80 - 81 -8080 |
HTTP |
|
88 |
Kerberos |
|
110 |
POP3 |
|
111 |
Portmapper (Linux) |
|
119 |
NNTP |
|
135 |
RPC-DCOM |
|
137 - 138 - 139 |
SMB |
|
143 |
IMAP |
|
161 - 162 |
SNMP |
|
389 |
LDAP |
|
445 |
CIFS |
|
1080 |
SOCKS5 |
|
3389 |
RDP |
|
6667 |
IRC |
|
14237 |
Palm Pilot Remote Sync |
Trojan Horses
|
7777 |
Tini |
|
12345 |
NetBus |
|
27374 |
Back Orifice |
|
31337 |
Sub7 |
Enumeration
Enumeration is used for the enlistment of policies, user accounts, shares, and other resources. This phase happens just before weakness assessment and helps the attack put together the best approach for the attainment of access.
Protecting Information Disclosure
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
“0” is the default for Windows 2000 and provides everything
“1” is the default for Windows 2003 and provides less
“2” is the maximum safe setting but makes a machine less cooperative with others
Microsoft SIDs
|
S-1-5-21-< |
>-500 |
In-built Local administrator |
|
S-1-5-21-< |
>-501 |
In-built Local guest |
|
S-1-5-21-< |
>-512 |
In-built Domain administrator |
|
S-1-5-21-< |
>-1000 |
Anything above 1000 is users that have been created |
Ports involved with enumerations attacks
|
111 |
Linux Portmapper Service |
|
42 |
WINS |
|
88 |
Kerberos |
|
135 |
Windows RPC-DCOM |
|
137 |
NetBIOS Name Service |
|
138 |
NetBIOS Datagram Service |
|
139 |
NetBIOS Sessions |
|
161 |
SNMP Agent |
|
162 |
SNMP Traps |
|
389 |
LDAP |
|
445 |
CIFS (Common Internet File System) |
Password cracking
This test will have situations that necessitate you to determine an understanding of TCP behavior. You should be aware of these combinations well.
Password cracking techniques
|
Guessing |
most effective, assuming information assembly beforehand |
|
Dictionary |
encoded list of words |
|
Brute force |
Trying every potential arrangement of characters |
|
Hybrid |
A combination of all other attacks |
LM Hashes
Eventually, every password is of 14 characters long, split into two seven characters each
Passwords that are less than seven characters are easily known in the SAM file (hash ends in 404EE)
Rainbow Tables
|
"Time / Memory Tradeoff"" |
Uses lesser memory than a lookup and lesser computing than a brute force. |
|
Salting |
The hash is a way to contest rainbow tables. |
Cracking Effort
|
Weak passwords |
can be resolved very easily |
|
Strong passwords |
May take the lifetime of numerous universes to resolve |
|
Rainbow Tables |
Resolve the "Time / Memory Trade-Off" |
|
DNA |
Distributed Network Architecture |
Popular Cracking Tools
|
John the Ripper |
A command-line tool that runs under both Windows and Linux |
|
Lophtcrack |
Profitable tool |
|
ophtcrack |
An open-source tool that supports rainbow tables |
|
Cain and Abel |
A flexible commanding tool that then snuffles and cracks passwords of many types |
Trojans and Malware
The official definition is:
An authentic application that has been improved with malicious code. A Trojan horse is a social engineering technique. It conceals as an authentic download and inserts the victim's host with a contact point or a client that can link outbound to a server waiting remotely. They don't necessarily exploit a weakness unless license escalation is necessary. They offer a command set for whoever connects to them that includes: File browsers, key loggers, webcam viewers, and many additional tools.
Terms
|
Wrapper or Binder |
It is used to combine a malicious binary and an authentic program |
|
Rootkit |
It can be installed via Trojan, used to hide procedures that create a way in access |
|
HTTP Trojan |
Reverses a connection outbound through an HTTP or SHTTP tunnel |
|
Netcat |
It's not a Trojan, but regularly used in Trojan code to set up the listening socket |
|
Hoax |
Many legit tools are rumored to be Trojans but might not be |
|
Key logger |
It records the keystrokes and saves them in a log |
Famous Trojans
|
Tini |
Small 3Kb file, uses port 7777 |
|
Loki |
Used ICMP as a channeling protocol |
|
Netbus |
One of the first RATs (Remote Authentication Trojan) |
|
Sub 7 |
Written in Delphi, extended on what Netbus had demonstrated |
|
Back Orifice |
First modular malware, had the abilities to be expanded on by external authors |
|
Beast |
All in one Client / Server binary |
|
MoSucker |
The client can select the infection method for each binary |
|
Nuclear RAT |
Reverse linking Trojan |
|
Monkey Shell |
Provides a powerful shell setting that can reverse networks and encrypt commands |
Take our CEH Bootcamp or subscribe to "Learn" subscription at InfoSecAcademy.io and start your 7-day FREE TRIAL today!
Deleting Trojans
|
netstat / fport |
Command-line tools for viewing exposed ports and networks |
|
tcpview |
GUI tool for viewing open ports and connections |
|
Process Viewer |
GUI tool for displaying open processes including child processes |
|
Autoruns |
Lists all programs that will run on startup and where they are termed from |
|
Hijack |
It will show a list of rare registry entries and files on the drive |
|
Spybot S&D |
Originally volunteer supported scanning and revealing tool |
Virus Trivia
It’s not essential to know all 40k or all other malware variants that have been discovered. But there are a few that are important for demonstrating the skills of this method of attack.
Types of virus
|
Boot Virus |
Boot sector of floppies or hard disks is infected |
|
Macro Virus |
It is written in Microsoft Office Macro language |
|
Network Virus |
It spreads via network shares |
|
Stealth Virus |
It hides and copies itself out to deliver a payload |
|
Polymorphic Virus |
It encodes itself |
|
Cavity Virus |
It hides in the empty areas of executable |
|
Tunneling Virus |
It traces interceptor programs that observe OS Kernel requests |
|
Camouflage Virus |
Camouflage themselves as legit files |
|
Multipartite Virus |
Infects via multiple paths |
|
Metamorphic Virus |
Modify itself |
Famous virus
|
Elk Cloner |
First virus |
|
Morris |
First worm |
|
I Love You |
VBScript worm sent through email |
|
Melissa |
Macro virus |
|
Klez |
Mass mailer with its SMTP engine |
|
Slammer |
Targets SQL server, the total size of 376 bytes |
|
MyDoom |
Mass mailer uses port 3127, attacks the host's file |
|
MonteCarlo |
Memory resident, copies to the end on .exe files |
Sniffing
The most influential attack tool is Social Engineering. No equipment or technology is required, and often negligible expense. Awareness and proper user education can prevent it, and even then, errors in judgment can still exist.
Methods for defeating a switch
|
Admin the switch |
By guessing the password for the switch, a port can be positioned into monitor mode |
|
MAC Spoofing |
Setting the MAC address of a NIC to the same value as another |
|
MAC Flooding |
CAM table of the switch can be Overpower, so it converts to hub mode |
|
ARP Poisoning |
Giving incorrect information into the ARP caches of two or more endpoints. |
Wireshark command-line tools
|
tshark |
It is the command-line version of Wireshark |
|
dumpcap |
It captures traffic |
|
capinfos |
It reads a capture file and returns statistics about it |
|
editcap |
It edits or translates the format of capture files |
|
mergecap |
It merges multiple capture files into one file |
|
text2pcap |
It generates a capture file from an ASCII hexdump of packets |
|
tcpflow |
It extracts data torrents from dump files |
|
tcptrace |
It analyzes TCP conversations |
|
tcpreplay |
It can resend capture packets |
MAC Addresses
An understanding of hardware addresses is required to sniffing and crushing Ethernet switches. Local attacks involve too many risks; that’s why Intrusion Detection Systems are observing for too much ARP traffic or strange MAC addresses.
The MAC 48 Format
A Media Access Control address is 48 bits. The vendor code consists of the first 3 bytes of the MAC, and the other three bytes are arbitrarily assigned.
A broadcast MAC address is
FF: FF: FF: FF: FF: FF
Addresses can be assigned in two ways
BIA - Burned in Address
OUI - Organizationally Unique Identifier
Internet Protocol
For a delivery between networks, internet protocol is in charge of packaging datagrams. It is a "best-effort" protocol with no correction. For more information, read RFC 791.
Internet Control Message Protocol
It generates message datagrams that can be exchanged by network hosts for troubleshooting, error reporting, and informatio
User Datagram Protocol
User Datagram Protocol is a modest fast transport protocol that is used for its low overhead in circumstances where error correction and flow control is not needed, such as short bursts of messages. UDP is tough to firewall off successfully because it is outlawed.
Transmission Control Protocol
TCP surely provides a layer of 5-7 messages for transport and flow control. It includes IP, ICMP, and UDP, and it is difficult to understand this protocol critically: Scanning, Firewalls, Intrusion Detection, and various types of DoS attacks.
Social Engineering
It is the most commanding attack tool. No equipment or technology is required, and often negligible expense.
The principles of Social Engineering
|
Authority |
An intimidating presence |
|
Scarcity |
Create the perception of loss or lack of access to a resource |
|
Liking |
Charm and charisma |
|
Reciprocation |
The victim believes they owe the attacker a favor |
|
Consistency |
Appealing the victim's true feelings and opinions |
|
Social Validation |
Compliments and praise |
Types of Social Engineers
|
Insider Associates |
They have limited certified access and escalate rights from there. |
|
Insider Affiliates |
They are insiders by affiliation, and they spoof the identity of the insider. |
|
Outsider Affiliates |
Are non-trusted outsiders that use an access point that was left open |
Start Your 7-Day FREE TRIAL with InfoSec Academy.
DoS and DDoS
Awkward and difficult attacks are Denial of Services and Distributed Denial of Service. They are exceptionally difficult to avoid from being attempted. The best defense is a well-designed network that is hard to overcome.
DoS Methods
|
Buffer Overflows |
It crashes applications or services |
|
Smurf |
Bluffed traffic sent to the broadcast address of a network |
|
Fraggle |
UDP version of the Smurf, typically bouncing Charge traffic off Echo ports |
|
Ping of Death |
Packet larger than the 64k limit |
|
Teardrop |
Offset values modified to cause fragments to overlap during reassembly results in short packet |
|
Unnamed |
Equalizes values modified to cause gaps between fragments and results in long packets |
|
Syn Flood |
SYN flags sent to open ports, handshake not completed |
|
Winnuke |
Sends TCP traffic with the URG flag set, causes maximum consumption of CPU |
Dos Tools
|
Jolt2 |
It overflows with illegal traffic results in maximum CPU utilization |
|
Land and La Tierra |
It performs teardrop and land attacks |
|
Targa |
It offers a menu of several DoS attacks |
|
Blast20 |
It is also considered to be a web server load tester |
|
Crazy Pinger |
ICMP flooder |
|
UDP Flood |
UDP flooder is written by Found stone |
DDos Attacks
Botnets - Command and Control Center (C & CC). It communicates with "Handlers," which in term communicate with Zombies. The infected machines with malware are handlers and zombies. The C&CC is either a distributed system of infected machines or can even be a chat room on IRC.
DDoS Tools
|
Trinoo |
The very first to reveal "Master/slave" DDoS attacks |
|
Tribal Flood Network |
It could launch several DoS attacks from scattered positions at the same time |
|
TFN2K |
Bug fixes and updates to the original TFN |
|
Stacheldraht |
Means "Barbed Wire" in German |
|
Agobot |
A modular IRC bot, many derivatives have been created from this code |
|
Nuclear Bot |
Developed by "Nuclear Winter Crew" and written in Delphi, many features |
Buffer Overflows
The detection of BO attacks and understanding BO scripts is very critical and involves several basic concepts.
Terminology
|
Stack |
Memory place for short term processing |
|
Heap |
Memory space for long term program execution |
|
Push |
"Push" new instructions onto the stack |
|
Pop |
"Pop" instructions off the stack when processed |
|
EIP |
Execute Instruction Pointer, the memory address of next instruction to be executed |
|
NOOP |
A "do nothing" instruction that wastes a clock cycle |
|
NOOP Sled |
Placed in a buffer overflow exploit to aid in running the payload |
HTTP and URLs
It is the protocol for the World Wide Web. The client sends a request to the server, which in turn passes the request to an application. Several possible attack types are in exchange since all of these components can have weaknesses.
HTTP Error Codes
|
200 Series |
Everything is OK |
|
400 Series |
Could not provide the requested resource (page not found, moved, authentication failure) |
|
500 Series |
Could not process request (script error, database connection error) |
Wireless Technology
Wireless Security
|
WEP |
Uses RC4 for the stream cipher with a 24b initialization vector Key sizes are 40b or 104b |
|
WPA |
Uses RC4 for the stream cipher but supports longer keys |
|
WPA/TKIP |
Changes the IV with each frame and includes key mixing |
|
WPA2 |
Uses AES as the stream cipher and includes all the features of TKIP |
|
OSA |
Open Systems Authentication is a non-protected AP that broadcasts its SSID |
|
PSK |
An encryption standard protects Pre-Shared Key |
Terms and Tools
|
Wardriving |
Driving around with portable equipment and locating wireless networks |
|
Warchalking |
Writing symbols on the sidewalk or buildings communicating found networks |
|
Jamming |
Producing white noise signals that overpower the Wifi networks |
|
Netstumbler |
Finds wireless networks, SSIDS, and channels |
|
Ministumbler |
for the pocket pc |
|
Macstumbler |
for the Macintosh |
|
AirPcap |
Hardware tools for wardriving, WEP cracking and sniffing |
|
Airopeek |
Sniffer that specializes in wireless traffic |
|
AircrackNG |
WEP cracker |
|
Airsnort |
Another WEP cracker |
|
CoWPAtty |
WPA offline brute force cracker |
Cryptography
Cryptography is assumed pre-requisite and still a good idea to review some core terminologies.
Terms and Definitions
|
Plaint Text |
The data set before encryption |
|
Cipher Text |
The result of encryption |
|
Cryptanalysis |
Attempting to "break" and encryption algorithm |
|
Cryptography |
Obscuring the meaning of a message |
|
Steganography |
Hiding a message within another |
|
Salt |
Ensures different keys are created each time |
|
Initialization Vector |
Change the characteristics of the key each time it is reused |
Types of Cryptography
|
Symmetric |
Single key both encrypts and decrypts |
|
Asymmetric
|
A pair of keys, public and private are mathematically associated One encrypts and the other decrypts, the private key is always a secret |
|
One-Way Hash
|
Cannot be reversed, the only brute-forced Used to represent data, Sometimes called "Digital Fingerprint" or "Message Digest." |
|
“For more guidance on CEH Certifications, Chat with our experts at InfoSec Academy.” |