To supplement the hacking and CEH courses on our Cyber Security Career Development Platform, here is our Certified Ethical Hacker (CEH) Exam Cheat Sheet.
PDF download also available.
18 U.S.C 1029 & 1030
RFC 1918 - Private IP Standard
RFC 3227 - Collecting and storing data
ISO 27002 - InfoSec Guidelines
CAN-SPAM - email marketing
SPY-Act - License Enforcement
DMCA - Intellectual Property
SOX - Corporate Finance Processes
GLBA - Personal Finance Data
FERPA - Education Records
FISMA - Gov Networks Security Std
CVSS - Common Vuln Scoring System
CVE - Common Vulns and Exposure
Regional Registry Coverage Map
Key pairs required =
DES: 56bit key (8bit parity); fixed block
3DES: 168bit key; keys ≤ 3
AES: 128, 192, or 256; replaced DES
IDEA: 128bit key
Twofish: Block cipher key size ≤ 256bit
Blowfish: Rep. by AES; 64bit block
RC: incl. RC2 ―› RC6. 2,040key, RC6 (128bit block)
Public key = Encrypt, Private Key = Decrypt
Diffie-Hellman: key Exchange, used in SSL/IPSec
ECC: Elliptical Curve. Low process power/Mobile
EI Gamal: !=Primes, log problem to encrypt/sign
RSA: 2 x Prime 4,096bit. Modern std.
MD5: 128bit hash, expres as 32bit hex
SHA1: 160bit hash,rq 4 use in US apps
SHA2: 4 sep hash 224,256,384,512
Web of trust: Entities sign certs for each other
Single Authority: CA at top. Trust based on CA itself
Hierarchical: CA at top. RA’s Under to manage certs
XMKS - XML PKI System
Known Plain-text: Search plaintext for repeatable sequences. Compare to t versions.
Ciphertext-only: Obtain several messages with same algorithm. Analyze to reveal repeating code.
Replay: Performed in MITM. Repeat exchange to fool system in setting up a comms channel.
Used to verify user identity = nonrepudiation
Version: Identifies format. Common = V1
Serial: Uniquely identify the certificate
Subject: Whoever/whatever being identified by cert
Algorithm ID: Algorithm used
Issuer: Entity that verifies authenticity of certificate
Valid from/to: Certificate good through dates
Key usage: Shows for what purpose cert was made
Subject’s public key: self-explanatory
Optional fields: e.g., Issuer ID, Subject Alt Name...
Gathering information on targets, whereas foot-printing is mapping out at a high level. These are interchangeable in C|EH.
Operator: keyword additional search items
site: Search only within domain
ext: File Extension
loc: Maps Location
intitle: keywords in title tag of page
allintitle: any keywords can be in title
inurl: keywords anywhere in url
allinurl: any of the keywords can be in url
incache: search Google cache only
port 53 nslokup (UDP), Zone xfer (TCP)
DNS record types
Service (SRV): hostname & port # of servers
Start of Authority (SOA): Primary name server
Pointer (PTR): IP to Hostname; for reverse DNS
Name Server (NS): NameServers with namespace
Mail Exchange (MX): E-mail servers
CNAME: Aliases in zone. list multi services in DNS
Address (A): IP to Hostname; for DNS lookup
DNS footprinting: whois, nslookup, dig
TCP Header Flags
URG: Indicates data being sent out of band
ACK: Ack to, and after SYN
PSH: Forces delivery without concern for buffering
RST: Forces comms termination in both directions
SYN: Initial comms. Parameters and sequence #’s
FIN: ordered close to communications
Client — Discover-> Server
Client —Request—> Server
IP is removed from pool
Scanning & Enumeration
ICMP Message Types
0: Echo Reply: Answer to type 8 Echo Request
3: Destination Unreachable: No host/ network
0 ― Destination network unreachable
1― Destination host unreachable
6 ― Network unknown
7 ― Host unknown
9 ― Network administratively prohibited
10 ― Host administratively prohibited
13 ― Communication administratively prohibited
4: Source Quench: Congestion control message
5: Redirect: 2+ gateways for sender to use or the best route not the configured default gateway
0 ― redirect datagram for the network
1 ― redirect datagram for the host
8: Echo Request: Ping message requesting echo
11: Time Exceeded: Packet too long be routed
Method of the representing IP Addresses
0 — 1023: Well-known
1024 — 49151: Registered
49152 — 65535: Dynamic
Important Port Numbers
HTTP: 80 / 8080
Portmapper (Linux): 111
Back Orifice: 27374
HTTP Error Codes
200 Series - OK
400 Series - Could not provide req
500 Series - Could not process req
Nmap is the de-facto tool for this pen-test phase
Nmap <scan options> <target>
-sA: ACK scan -sF: FIN scan
-sS:SYN -sT: TCP scan
-sI: IDLS scan -sn: PING sweep
-sN: NULL -sS: Stealth Scan
-sR: RPC scan -Po: No ping
-sW: Window -sX: XMAS tree scan
-PI: ICMP ping - PS: SYN ping
-PT: TCP ping -oN: Normal output
-oX: XML output -A OS/Vers/Script
-T<0-4>: Slow - Fast
TCP: 3 way handshake on all ports.
Open = SYN/ACK, Closed = RST/ACK
SYN: SYN packets to ports (incomplete handshake).
Open = SYN/ ACK, Closed = RST/ ACK
FIN: Packet with FIN flag set
Open = no response, Closed = RST
XMAS: Multiple flags set (fin, URG, and PSH) Binary Header: 00101001
Open = no response, Closed = RST
ACK: Used for Linux/Unix systems
Open = RST, Closed = no response
IDLE: Spoofed IP, SYN flag, designed for stealth.
Open = SYN/ACK, Closed= RST/ACK
NULL: No flags set. Responses vary by OS. NULL scans are designed for Linux/ Unix machines.
nbtstat -a COMPUTER 190
nbtstat -A 192.168.10.12 remote table
nbtstat -n local name table
nbtstat -c local name cache
nbtstat -r -purge name cache
nbtstat -S 10 -display ses stats every 10 sec
1B ==master browser for the subnet
1C == domain controller
1D == domain master browser
Uses a community string for PW
SNMPv3 encrypts the community strings
Sniffing and Evasion
IPv4 and IPv6
IPv4 == unicast, multicast, and broadcast
IPv6 == unicast, multicast, and anycast.
IPv6 unicast and multicast scope includes link local, site local and global.
First half = 3 bytes (24bits) = Org UID
Second half = unique number
NAT (Network Address Translation)
Basic NAT is a one-to-one mapping where each internal IP== a unique public IP.
Nat overload (PAT) == port address translation. Typically used as is the cheaper option.
Concerned with the connections. Doesn’t sniff ever packet, it just verifies if it’s a known connection, then passes along.
Crafting of wrapped segments through a port rarely filtered by the Firewall (e.g., 80) to carry payloads that may otherwise be blocked.
It has 3 modes:
Sniffer/Packet logger/ Network IDS.
Config file: /etc/snort, or c:\snort\etc #~alert tcp!HOME_NET any ->$HOME_NET 31337 (msg : “BACKDOOR ATTEMPT-Back-orifice.”)
Any packet from any address !=home network. Using any source port, intended for an address in home network on port 31337, send msg.
Span port: port mirroring
False Negative: IDS incorrectly reports stream clean
IDS Evasion Tactics
Slow down OR flood the network (and sneak through in the mix) OR fragmentation
#~tcpdump flag(s) interface
Attacking a System
C|EH rules for passwords
Must not contain user’s name. Min 8 chars.
3 of 4 complexity components. E.g., Special, Number, Uppercase, Lowercase
7 spaces hashed: AAD3B435B51404EE
Passive Online: Sniffing wire, intercept cleantext password / replay / MITM
Active Online: Password guessing.
Offline: Steal copy of password i.e., SAM file. Cracking efforts on a separate system
Non-electronic: Social Engineering
Steal cookies exchanged between systems and use tp perform a replay-style attack.
Type 1: Something you know
Type 2: Something you have
Type 3: Something you are
Refers to the active attempt to steal an entire established session from a target
1. Sniff traffic between client and server
2. Monitor traffic and predict sequence
3. Desynchronise session with client
4. Predict session token and take over session
5. Inject packets to the target server
Kerberos makes use of symmetric and asymmetric encryption technologies and involves:
KDC: Key Distribution Centre
AS: Authentication Service
TGS: Ticket Granting Service
TGT: Ticket Granting Ticket
1. Client asks KDC (who has AS and TGS) for ticket to authenticate throughout the network. this request is in clear text.
2. Server responds with secret key. hashed by the password copy kept on AD server (TGT).
3. TGT sent back to server requesting TGS if user decrypts.
4. Server responds with ticket, and client can log on and access network resources.
2 elements make a registry setting: a key (location pointer), and valu (define the key setting).
Rot level keys are as follows:
HKEY_LOCAL_MACHINE_Info on Hard/software
HKEY_CLASSES_ROOT ― Info on file associations and Object Linking and Embedding (OLE) classes
HKEY_CURRENT_USER ― Profile info on current user
HKEY_USERS ― User config info for all active users
HEKY_CURRENT-CONFIG―pointer to\hardware Profiles\.
Human based attacks
Computer based attacks
Phishing - Email SCAM
Whaling - Targeting CEO’s
Pharming - Evil Twin Website
Types of Social Engineers
Insider Associates: Limited Authorized Access
Insider Affiliates: Insiders by virtue of Affiliation that spoof the identity of the Insider
Outsider Affiliates: Non-trusted outsider that use an access point that was left open
3 major categories of Physical Security measures
Physical measures: Things you taste, touch, smell
Technical measures: smart cards, biometrics
Operational measures: policies and procedures
CSRF - Cross Site Request Forgery
Variant of Unicode or un-validated input attack
SQL Injection attack types
Union Query: Use the UNION command to return the union of target Db with a crafted Db
Tautology: Term used to describe behavior of a Db when deciding if a statement is true.
Blind SQL Injection: Trial and Error with no responses or prompts.
Error based SQL Injection: Enumeration technique. Inject poorly constructed commands to have Db respond with table names and other information
A condition that occurs when more data is written to a buffer than it has space to store and results in data corruption. Caused by insufficient bounds checking, a bug, or poor configuration in the program code.
Stack: Premise is all program calls are kept in a stack and performed in order. Try to change a function pointer or variable to allow code exe
Heap: Takes advantage of memory “on top of” the application (dynamically allocated). Use program to overwrite function pointers
NOP Sled: Takes advantage of instruction called “no-op”. Sends a large # of NOP instructions into buffer. Most IDS protect from this attack.
Dangerous SQL functions
The following do not check size of destination buffers:
gets() strcpy() stract() printf()
Wireless Network Hacking
Compatible wireless adapter with promiscuous mode is required, but otherwise pretty much the same as sniffing wired.
WEP: RC4 with 24bit vector. Kers are 40 or 104bit
WAP: RC4 supports longer keys; 48bit IV
WPA/TKIP: Changes IV each frame and key mixing
WPA2: AES + TKIP features; 48bit IV
Bluesmacking: DoS against a device
Bluejacking: Sending messages to/from devices
Bluesniffing: Sniffs for Bluetooth
Bluesnarfing: actual theft of data from a device
Trojans and Other Attacks
Boot: Moves boot sector to another location. Almost impossible to remove.
Camo: Disguise as legit files.
Cavity: Hides in empty areas in exe.
Marco: Written in MS Office Macro Language
Multipartite: Attempts to infect files and boot sector at same time.
Metamorphic virus: Rewrites itself when it infects a new file.
Network: Spreads via network shares.
Polymorphic Code virus: Encrypts itself using built-in polymorphic engine.
Constantly changing signature makes it hard to detect.
Shell virus: Like boot sector but wrapped around application code, and run on application start.
Stealth: Hides in files, copies itself to deliver payload.
SYN Attack: Send thousands of SYN packets with a false IP address. Target will attempt SYN/ACK response. All machine resources will be engaged.
SYN Flood: Send thousands of SYN Packets but never respond to any of the returned SYN/ACK packets. Target will run out of available connections.
ICMP Flood: Send ICMP Echo packets with a fake source address. Target attempts to respond but reaches a limit of packets sent per second.
Application level: Send “legitimate” traffic to a web application than it can handle.
Smurf: Send large number of pings to the broadcast address of the subnet with source IP spoofed to target. Subnet will send ping responses to target.
Fraggle Attack: Similar to Smurf but uses UDP.
Ping of Death: Attacker fragments ICMP message to send to target. When the fragments are reassembled, the resultant ICMP packet is larger than max size and crashes the system
Founded by Neel Mehta, Heartbleed is a vulnerability with heartbeat in OpenSSL software Library. Allowed for MITM to steal information protected under normal conditions by SSL/TLS encryption.
MITM exploit which took advantage of internet and software client fallback to SSL 3.0.
Exploit a vuln that executes codes inside the ‘ ’ where the text should not be exe.
ILOVEYOU: A worm originating in the Philippines. Started in May 5, 2000, and was built on a VBS macro in Microsoft word/excel/ templates.
MELISSA: Email virus based on MS word macro. Created in 1999 by David L. Smith.
Linux File System
/var -Variable Data / Log Files
/bin -Biniaries / User Commands
/sbin -Sys Binaries / Admin Commands
/root -Home dir for root user
/boot -Store kernel
/proc -Direct access to kernel
/dev -Hardware storage devices
/mnt -Mount devices
Identifying Users and Processes
INIT process ID 1
Root UID, GID 0
Accounts of Services 1-999
All other users Above 1000
4 - Read
2 - Write
1 - Execute
764 - User>RWX, Grp>RW, Other>R
action protocol address port -> address port (option:value;option:value)
alert tcp 10.0.0.1 25 -> 10.0.0.2 25
(msg:”Sample Alert”; sid:1000;)
Command Line Tools
nmap -sT -T5 -n -p 1-100 10.0.0.1
nc -v -z -w 2 10.0.0.1
tcpdump -i eth0 -v -X ip proto 1
snort -vde -c my.rules 1
hping3 -I -eth0 -c 10 -a 126.96.36.199 -t 100 10.0.0.1
iptables -A FORWARD -j ACCEPT -p tcp ―dport 80
Tools of the Trade
National Vuln Db
Website Research Tools
DNS and Whois Tools
Scanning and Enumeration
Angry IP Scanner
NetScan Tools Pro
Proxy, Anonymizer, and Tunneling
System Hacking Tools
John the Ripper
Keyloggers and Screen Capture
All in one Keylogger
Password Recovery Boot Disk
Remote Desktop Spy
Cryptography and Encryption
Wireless Security Auditor
Mobile Device Tracking
Wheres My Droid
Find My Phone
Trojans and Malware
SQL Injection Brute