If you’re in need of a quick reference for the EC-Council Certified Ethical Hacker exam, we’ve got you covered.
With nine knowledge domains covering the “latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals to lawfully hack an organization,” there is no shortage of things you have to remember for this exam.
Use this CEH cheat sheet to supplement our hacking and CEH exam courses, and as a quick reference for terminology, definitions, port numbers, methodology, and various important commands.
We hope this helps you boost your career by becoming a Certified Ethical Hacker. You can download the PDF version of this cheat sheet here.
Insider Affiliates: Insiders by virtue of Affiliation that spoof the identity of the Insider
Outsider Affiliates: Non-trusted outsider that use an access point that was left open
3 MAJOR CATEGORIES OF PHYSICAL SECURITY MEASURES
Physical measures:Things you taste, touch, smell
Technical measures:smart cards, biometrics
Operational measures:policies and procedures
CSRF – CROSS SITE REQUEST FORGERY
Variant of Unicode or un-validated input attack
SQL INJECTION ATTACK TYPES
Union Query: Use the UNION command to return the union of target Db with a crafted Db
Tautology: Term used to describe behavior of a Db when deciding if a statement is true.
Blind SQL Injection: Trial and Error with no responses or prompts.
Error based SQL Injection: Enumeration technique. Inject poorly constructed commands to have Db respond with table names and other information
A condition that occurs when more data is written to a buffer than it has space to store and results in data corruption. Caused by insufficient bounds checking, a bug, or poor configuration in the program code.
Stack: Premise is all program calls are kept in a stack and performed in order. Try to change a function pointer or variable to allow code exe
Heap: Takes advantage of memory “on top of” the application (dynamically allocated). Use program to overwrite function pointers
NOP Sled: Takes advantage of instruction called “no-op”. Sends a large # of NOP instructions into buffer. Most IDS protect from this attack.
Dangerous SQL functions
The following do not check size of destination buffers: gets() strcpy() stract() printf()
Wireless Network Hacking
Compatible wireless adapter with promiscuous mode is required, but otherwise pretty much the same as sniffing wired.
WEP: RC4 with 24bit vector. Kers are 40 or 104bit
WAP: RC4 supports longer keys; 48bit IV
WPA/TKIP: Changes IV each frame and key mixing
WPA2: AES + TKIP features; 48bit IV
Bluesmacking: DoS against a device
Bluejacking: Sending messages to/from devices
Bluesniffing: Sniffs for Bluetooth
Bluesnarfing: actual theft of data from a device
Trojans and Other Attacks
Boot: Moves boot sector to another location. Almost impossible to remove.
Camo: Disguise as legit files.
Cavity: Hides in empty areas in exe.
Marco: Written in MS Office Macro Language
Multipartite: Attempts to infect files and boot sector at same time.
Metamorphic virus: Rewrites itself when it infects a new file.
Network: Spreads via network shares.
Polymorphic virus: Constantly changing signature makes it hard to detect.
Shell virus: Like boot sector but wrapped around application code, and run on application start.
Stealth: Hides in files, copies itself to deliver payload.
Send thousands of SYN packets with a false IP address. Target will attempt SYN/ACK response. All machine resources will be engaged.
Send thousands of SYN Packets but never respond to any of the returned SYN/ACK packets. Target will run out of available connections.
Send ICMP Echo packets with a fake source address. Target attempts to respond but reaches a limit of packets sent per second.
Send “legitimate” traffic to a web application than it can handle.
Send large number of pings to the broadcast address of the subnet with source IP spoofed to target. Subnet will send ping responses to target.
Similar to Smurf but uses UDP.
Ping of Death:
Attacker fragments ICMP message to send to target. When the fragments are reassembled, the resultant ICMP packet is larger than max size and crashes the system
LINUX FILE SYSTEM
-Variable Data / Log Files
-Biniaries / User Commands
-Sys Binaries / Admin Commands
-Home dir for root user
-Direct access to kernel
-Hardware storage devices
IDENTIFYING USERS AND PROCESSES
INIT process ID 1
Root UID, GID 0
Accounts of Services 1-999
All other users Above 1000
4 – Read
2 – Write
1 – Execute
764 – User>RWX, Grp>RW, Other>R
action protocol address port -> address port (option:value;option:value)
alert tcp 10.0.0.1 25 -> 10.0.0.2 25
(msg:”Sample Alert”; sid:1000;)
Command Line Tools
NMAP -ST -T5 -N -P 1-100 10.0.0.1
nc -v -z -w 2 10.0.0.1
tcpdump -i eth0 -v -X ip proto 1
snort -vde -c my.rules 1
hping3 -I -eth0 -c 10 -a 184.108.40.206 -t 100 10.0.0.1
iptables -A FORWARD -j ACCEPT -p tcp ―dport 80
National Vuln Db
Website Research Tools
DNS and Whois Tools
SYSTEM HACKING TOOLS
John the Ripper
Keyloggers and Screen Capture
All in one Keylogger
Password Recovery Boot Disk
Remote Desktop Spy
SQL Injection Brute
SCANNING AND ENUMERATION
Angry IP Scanner
NetScan Tools Pro
Proxy, Anonymizer, and Tunneling
CRYPTOGRAPHY AND ENCRYPTION
Wireless Security Auditor
Mobile Device Tracking
Wheres My Droid
Find My Phone
TROJANS AND MALWARE
The information in this cheat sheet is not only useful for passing the Certified Ethical Hacker Exam, but can act as a useful reference for penetration testers and those pursuing other security certifications.
However you choose to use it, we hope you’ve found it a helpful resource to keep around.
Frequently Asked Questions
Is the CEH exam hard to pass?
When compared to a similar certification, such as the Pentest+, CEH is widely considered the easier exam to pass due to the strict multiple-choice format, narrower scope, and longer sit time.
What is the pass rate for CEH?
EC-Council does not publish any statistics on pass/fail rates for the CEH exam.
Can I self study for CEH?
Yes, however if you choose not to do an EC-Council’s official CEH training course, you will need to submit an eligibility application form stating you have two years of work experience and pay a non-refundable fee.
How easy is the CEH?
It is not an “easy” exam, but it is easier than many other ethical hacking industry certifications, such as the Pentest+ or OSCP.
How long does it take to learn CEH?
EC-Council training consists of a five day bootcamp which they claim will prepare you for the exam. However, you will require a strong foundation in essential IT and enterprise networking to be prepared for the bootcamp. This includes knowledge of operating systems, TCP/IP, OSI Reference Model, etc. You can gain this knowledge quickly and affordably with a StationX Membership.
How many questions do you need to pass CEH?
Certified Ethical Hacker (CEH) consists of 125 multiple choice questions. The passing score is dependent on the question bank you get and can range anywhere from 65% to 80%.
Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.