Certifi Ed Ethical Hacker
Certified Ethical Hacker(CEH) Cert GuideMichael Gregg800 East 96th StreetIndianapolis, Indiana 46240 USA
Certified Ethical Hacker (CEH) Cert GuideCopyright 2014 by Pearson Education, Inc.Associate PublisherDave DusthimerAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken inthe preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damagesresulting from the use of the information contained herein.Acquisitions EditorBetsy BrownISBN-13: 978-0-7897-5127-0ISBN-10: 0-7897-5127-5Senior Project EditorTonya SimpsonLibrary of Congress Control Number: 2013953303Copy EditorKeith ClinePrinted in the United States of AmericaSecond Printing: May 2014TrademarksAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certificationcannot attest to the accuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of any trademark or servicemark.Warning and DisclaimerEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information providedis on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss ordamages arising from the information contained in this book or from theuse of the CD or programs accompanying it.Bulk SalesPearson IT Certification offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information,please contactU.S. Corporate and Government or sales outside of the U.S., please contactInternational Salesinternational@pearsoned.comDevelopment EditorEllie C. BruManaging EditorSandra SchroederIndexerTim WrightProofreaderKathy RuizTechnical EditorsBrock PearsonTatyana ZidarovPublishing CoordinatorVanessa EvansMedia ProducerLisa MatthewsBook DesignerAlan ClementsCompositorJake McFarland
Contents at a GlanceIntroduction xxiiiCHAPTER 1Ethical Hacking BasicsCHAPTER 2The Technical Foundations of HackingCHAPTER 3Footprinting and ScanningCHAPTER 4Enumeration and System HackingCHAPTER 5Linux and Automated Assessment ToolsCHAPTER 6Trojans and BackdoorsCHAPTER 7Sniffers, Session Hijacking, and Denial of ServiceCHAPTER 8Web Server Hacking, Web Applications, and Database Attacks 297CHAPTER 9Wireless Technologies, Mobile Security, and AttacksCHAPTER 10IDS, Firewalls, and HoneypotsCHAPTER 11Buffer Overflows, Viruses, and Worms 417CHAPTER 12Cryptographic Attacks and DefensesCHAPTER 13Physical Security and Social EngineeringCHAPTER 14Final 535Practice Exam I561Practice Exam II603Index3646APPENDIX AAnswers to the “Do I Know This Already?” Quizzes andReview Questions (CD only)APPENDIX BMemory TablesAPPENDIX CMemory Table Answer Key(CD only)(CD only)
ivCertified Ethical Hacker (CEH) Cert GuideTable of ContentsIntroductionChapter 1xxiiiEthical Hacking Basics 3“Do I Know This Already?” Quiz 3Foundation Topics 6Security Fundamentals 6Goals of Security 7Risk, Assets, Threats, and Vulnerabilities 8Defining an Exploit 10Security Testing 10No-Knowledge Tests (Black Box) 11Full-Knowledge Testing (White Box) 11Partial-Knowledge Testing (Gray Box) 11Types of Security Tests 12Hacker and Cracker Descriptions 13Who Attackers Are 15Hacker and Cracker History 16Ethical Hackers 17Required Skills of an Ethical Hacker 18Modes of Ethical Hacking 19Test Plans—Keeping It Legal 21Test Phases 23Establishing Goals 24Getting Approval 25Ethical Hacking Report 25Vulnerability Research—Keeping Up with Changes 26Ethics and Legality 27Overview of U.S. Federal Laws 28Compliance Regulations 30Chapter Summary 31Exam Preparation Tasks 32Review All Key Topics 32Hands-On Labs 32Lab 1-1 Examining Security Policies 32
Table of ContentsReview Questions 33Define Key Terms 36View Recommended Resources 36Chapter 2The Technical Foundations of Hacking 39“Do I Know This Already?” Quiz 39Foundation Topics 42The Attacker’s Process 42Performing Reconnaissance and Footprinting 42Scanning and Enumeration 43Gaining Access 44Escalation of Privilege 45Maintaining Access 45Covering Tracks and Planting Backdoors 45The Ethical Hacker’s Process 46National Institute of Standards and Technology 47Operational Critical Threat, Asset, and Vulnerability Evaluation 47Open Source Security Testing Methodology Manual 48Security and the Stack 48The OSI Model 48Anatomy of TCP/IP Protocols 51The Application Layer 53The Transport Layer 57The Internet Layer 60The Network Access Layer 65Chapter Summary 67Exam Preparation Tasks 67Review All Key Topics 67Define Key Terms 68Exercises 682.1 Install a Sniffer and Perform Packet Captures 682.2 List the Protocols, Applications, and Services Found at Each Layerof the Stack 70Review Questions 71Suggested Reading and Resources 75v
viCertified Ethical Hacker (CEH) Cert GuideChapter 3Footprinting and Scanning 77“Do I Know This Already?” Quiz 77Foundation Topics 80The Seven-Step Information-Gathering Process 80Information Gathering 80Documentation80The Organization’s Website 81Job Boards 83Employee and People Searches 84EDGAR Database 87Google Hacking 88Usenet92Registrar Query 93DNS Enumeration 96Determine the Network Range 101Traceroute 101Identifying Active Machines 104Finding Open Ports and Access Points 105Nmap112SuperScan 115THC-Amap115Scanrand 116Hping116Port Knocking 117War Dialers 117War Driving 118OS Fingerprinting 118Active Fingerprinting Tools 120Fingerprinting Services 122Default Ports and Services 122Finding Open Services 123Mapping the Network Attack Surface 125Manual Mapping 125Automated Mapping 125
Table of ContentsChapter Summary 127Exam Preparation Tasks 127Review All Key Topics 127Define Key Terms 128Command Reference to Check Your Memory 128Exercises 1293.1 Performing Passive Reconnaissance 1293.2 Performing Active Reconnaissance 130Review Questions 131Suggested Reading and Resources 134Chapter 4Enumeration and System Hacking 137“Do I Know This Already?” Quiz 137Foundation Topics 140Enumeration140Windows Enumeration 140Windows Security 142NetBIOS and LDAP Enumeration 143NetBIOS Enumeration Tools 145SNMP Enumeration 148Linux/UNIX Enumeration 149NTP Enumeration 150SMTP Enumeration 150DNS Enumeration 151System Hacking 151Nontechnical Password Attacks 151Technical Password Attacks 152Password Guessing 152Automated Password Guessing 153Password Sniffing 154Keystroke Loggers 155Privilege Escalation and Exploiting Vulnerabilities 155Exploiting an Application 156Exploiting a Buffer Overflow 156Owning the Box 157vii
viiiCertified Ethical Hacker (CEH) Cert GuideAuthentication Types 158Cracking the Passwords 159Hiding Files and Covering Tracks 162File Hiding 163Chapter Summary 165Exam Preparation Tasks 165Review All Key Topics 165Define Key Terms 166Command Reference to Check Your Memory 166Exercise 1664.1 NTFS File Streaming 166Review Questions 167Suggested Reading and Resources 171Chapter 5Linux and Automated Assessment Tools 173“Do I Know This Already?” Quiz 173Foundation Topics 176Linux176Linux or Windows? Picking the Right Platform 176Linux File Structure 177Linux Basics 179Passwords and the Shadow File 182Linux Passwords 183Compressing, Installing, and Compiling Linux 185Hacking Linux ng Access 188Privilege Escalation 190Maintaining Access and Covering Tracks 191Hardening Linux 194Automated Assessment Tools 196Automated Assessment Tools 196Source Code Scanners 197
Table of ContentsApplication-Level Scanners 197System-Level Scanners 198Automated Exploit Tools 201Chapter Summary 203Exam Preparation Tasks 204Review All Key Topics 204Define Key Terms 204Command Reference to Check Your Memory 205Exercises 2055.1 Downloading and Running Backtrack 2055.2 Using Backtrack to Perform a Port Scan 2065.3 Creating a Virtual Machine 2065.4 Cracking Passwords with John the Ripper 207Review Questions 208Suggested Reading and Resources 210Chapter 6Trojans and Backdoors 213“Do I Know This Already?” Quiz 213Foundation Topics 216Trojans216Trojan Types 216Trojan Ports and Communication Methods 217Trojan Goals 219Trojan Infection Mechanisms 219Effects of Trojans 220Trojan Tools 221Distributing Trojans 225Trojan Tool Kits 226Covert Communication 227Covert Communication Tools 231Port Redirection 232Other Redirection and Covert Tools 234Keystroke Logging and Spyware 235Hardware 236Software236Spyware 237ix
xCertified Ethical Hacker (CEH) Cert GuideTrojan and Backdoor Countermeasures 238Chapter Summary 240Exam Preparation Tasks 241Review All Key Topics 241Define Key Terms 242Command Reference to Check Your Memory 242Exercises 2436.1 Finding Malicious Programs 2436.2 Using a Scrap Document to Hide Malicious Code 2446.3 Using Process Explorer 244Review Questions 246Suggested Reading and Resources 248Chapter 7Sniffers, Session Hijacking, and Denial of Service 251“Do I Know This Already?” Quiz 251Foundation Topics 254Sniffers254Passive Sniffing 254Active Sniffing 255Address Resolution Protocol 255ARP Poisoning and Flooding 256Tools for Sniffing 260Wireshark260Other Sniffing Tools 262Sniffing and Spoofing Countermeasures 263Session Hijacking 264Transport Layer Hijacking 264Predict the Sequence Number 265Take One of the Parties Offline 267Take Control of the Session 267Application Layer Hijacking 267Session Sniffing 267Predictable Session Token ID 268Man-in-the-Middle Attacks 268Man-in-the-Browser Attacks 269
Table of ContentsClient-Side Attacks 269Session-Hijacking Tools 271Preventing Session Hijacking 273Denial of Service, Distributed Denial of Service, and Botnets 274Types of DoS 275Bandwidth Attacks 276SYN Flood Attacks 277Program and Application Attacks 277Distributed Denial of Service 278DDoS Tools 280Botnets282DoS, DDOS, and Botnet Countermeasures 285Summary288Exam Preparation Tasks 289Review All Key Topics 289Define Key Terms 290Exercises 2907.1 Scanning for DDoS Programs 2907.2 Using SMAC to Spoof Your MAC Address 291Review Questions 291Suggested Reading and Resources 294Chapter 8Web Server Hacking, Web Applications, and Database Attacks 297“Do I Know This Already?” Quiz 297Foundation Topics 300Web Server Hacking 300Scanning Web Servers 302Banner Grabbing and Enumeration 302Web Server Vulnerability Identification 306Attacks Against Web Servers 307IIS Vulnerabilities 308Securing IIS and Apache Web Servers 312Web Application Hacking 314Unvalidated Input 315Parameter/Form Tampering 315xi
xiiCertified Ethical Hacker (CEH) Cert GuideInjection Flaws 315Cross-Site Scripting and Cross-Site Request Forgery Attacks 316Hidden Field Attacks 317Other Web Application Attacks 318Web-Based Authentication 319Web-Based Password Cracking and Authentication Attacks 320Cookies 324URL Obfuscation 324Intercepting Web Traffic 326Database Hacking 329Identifying SQL Servers 330SQL Injection Vulnerabilities 331SQL Injection Hacking Tools 333Summary334Exam Preparation Tasks 335Review All Key Topics 335Define Key Terms 336Exercise 3368.1 Hack the Bank 336Review Questions 337Suggested Reading and Resources 339Chapter 9Wireless Technologies, Mobile Security, and Attacks 341“Do I Know This Already?” Quiz 341Foundation Topics 344Wireless Technologies 344Wireless History 344Satellite TV 344Cordless Phones 346Cell Phones and Mobile Devices 346Mobile Devices 348Smartphone Vulnerabilities and Attack Vectors 349Android350iOS 352Windows Phone 8 352
Table of ContentsBlackBerry353Mobile Device Management and Protection 353Bluetooth 354Wireless LANs 355Wireless LAN Basics 355Wireless LAN Frequencies and Signaling 357Wireless LAN Security 358Wireless LAN Threats 361Eavesdropping362Configured as Open Authentication 363Rogue and Unauthorized Access Points 363Denial of Service (DoS) 365Wireless Hacking Tools 366Discover WiFi Networks 366Perform GPS Mapping 367Wireless Traffic Analysis 367Launch Wireless Attacks 368Crack and Compromise the WiFi Network 368Securing Wireless Networks 369Defense in Depth 369Site Survey 371Robust Wireless Authentication 372Misuse Detection 373Summary374Exam Preparation Tasks 374Review All Key Topics 375Define Key Terms 375Review Questions 375Suggested Reading and Resources 378Chapter 10IDS, Firewalls, and Honeypots 381“Do I Know This Already?” Quiz 381Intrusion Detection Systems 385IDS Types and Components 385Pattern Matching and Anomaly Detection 387xiii
xivCertified Ethical Hacker (CEH) Cert GuideSnort388IDS Evasion 392IDS Evasion Tools 394Firewalls395Firewall Types 395Network Address Translation 395Packet Filters 396Application and Circuit-Level Gateways 398Stateful Inspection 399Identifying Firewalls 400Bypassing Firewalls 402Honeypots 407Types of Honeypots 408Detecting Honeypots 409Summary410Exam Preparation Tasks 411Review All Key Topics 411Define Key Terms 411Review Questions 412Suggested Reading and Resources 414Chapter 11Buffer Overflows, Viruses, and Worms 417“Do I Know This Already?” Quiz 417Foundation Topics 420Buffer Overflows 420What Is a Buffer Overflow? 420Why Are Programs Vulnerable? 421Understanding Buffer-Overflow Attacks 423Common Buffer-Overflow Attacks 426Preventing Buffer Overflows 427Viruses and Worms 429Types and Transmission Methods of Viruses 429Virus Payloads 431History of Viruses 432Well-Known Viruses 434
Table of ContentsThe Late 1980s 434The 1990s 4342000 and Beyond 435Virus Tools 438Preventing Viruses 439Antivirus440Malware Analysis 442Static Analysis 442Dynamic Analysis 445Summary446Exam Preparation Tasks 447Review All Key Topics 447Define Key Terms 447Exercises 44811.1 Locating Known Buffer Overflows 44811.2 Review CVEs and Buffer Overflows 449Review Questions 449Suggested Reading and Resources 451Chapter 12Cryptographic Attacks and Defenses 453“Do I Know This Already?” Quiz 453Foundation Topics 456Functions of Cryptography 456History of Cryptography 457Algorithms 459Symmetric Encryption 460Data Encryption Standard (DES) 461Advanced Encryption Standard (AES) 463Rivest Cipher (RC) 463Asymmetric Encryption (Public Key Encryption) 464RSA 465Diffie-HellmanElGamal465466Elliptic Curve Cryptography (ECC) 466Hashing466xv
xviCertified Ethical Hacker (CEH) Cert GuideDigital Signature 467Steganography468Steganography Operation 469Steganographic Tools 470Digital Watermark 472Digital Certificates 473Public Key Infrastructure 474Trust Models 475Single Authority 475Hierarchical Trust 476Web of Trust 476Protocols, Standards, and Applications 477Encryption Cracking and Tools 479Weak Encryption 481Encryption-Cracking Tools 482Summary483Exam Preparation Tasks 484Review All Key Topics 484Define Key Terms 484Exercises 48512.1 Examining an SSL Certificate 48512.2Using PGP48612.3 Using a Steganographic Tool to Hide a Message 487Review Questions 487Suggested Reading and Resources 490Chapter 13Physical Security and Social Engineering 493“Do I Know This Already?” Quiz 493Foundation Topics 496Physical Security 496Threats to Physical Security 496Equipment Controls 499Locks499Fax Machines 504Area Controls 505
Table of ContentsLocation Data and Geotagging 506Facility Controls 508Personal Safety Controls 510Fire Prevention, Detection, and Suppression 510Physical Access Controls 511Authentication 511Defense in Depth 512Social Engineering 513Six Types of Social Engineering 513Person-to-Person Social Engineering 514Computer-Based Social Engineering 514Reverse Social Engineering 515Policies and Procedures 515Employee Hiring and Termination Policies 516Help Desk Procedures and Password Change Policies 516Employee Identification 516Privacy Policies 517Governmental and Commercial Data Classification 518User Awareness 519Summary519Exam Preparation Tasks 520Review All Key Topics 520Define Key Terms 521Exercises 52113.1 Biometrics and Fingerprint Recognition 521Review Questions 522Suggested Reading and Resources 524Chapter 14Final Preparation 527Tools for Final Preparation 527Pearson Cert Practice Test Engine and Questions on the CD 527Install the Software from the CD 527Activate and Download the Practice Exam 528Activating Other Exams 529Premium Edition 529xvii
xviiiCertified Ethical Hacker (CEH) Cert GuideMemory Tables 530End-of-Chapter Review Tools 530Suggested Plan for Final Review and Study 530Summary532Glossary535Practice Exam 1 EC-Council CEH 312-50 561Practice Exam 2 EC-Council CEH 312-50 603Index646Appendix A Answers to the “Do I Know This Already?” Quizzes andReview Questions (CD only)Appendix B Memory Tables (CD only)Appendix C Memory Table Answer Key (CD only)
About the AuthorAbout the AuthorMichael Gregg (CISSP, SSCP, CISA, MCSE, MCT, CTT , A , N , Security ,CCNA, CASP, CISA, CISM, CEH, CHFI, and GSEC) is the founder and president of Superior Solutions, Inc., a Houston, Texas-based IT security consultingfirm. Superior Solutions performs security assessments and penetration testing forFortune 1000 firms. The company has performed security assessments for private,public, and governmental agencies. Its Houston-based team travels the country toassess, audit, and provide training services.Michael is responsible for working with organizations to develop cost-effectiveand innovative technology solutions to security issues and for evaluating emergingtechnologies. He has more than 20 years of experience in the IT field and holds twoassociate’s degrees, a bachelor’s degree, and a master’s degree. In addition to coauthoring the first, second, and third editions of Security Administrator Street Smarts,Michael has written or co-authored 14 other books, including Build Your OwnSecurity Lab: A Field Guide for Network Testing (Wiley, 2008); Hack the Stack: UsingSnort and Ethereal to Master the 8 Layers of an Insecure Network (Syngress, 2006);Certified Ethical Hacker Exam Prep 2 (Que, 2006); and Inside Network SecurityAssessment: Guarding Your IT Infrastructure (Sams, 2005).Michael has been quoted in newspapers such as the New York Times and featured onvarious television and radio shows, including NPR, ABC, CBS, Fox News, and others, discussing cyber security and ethical hacking. He has created more than a dozenIT security training security classes. He has created and performed video instructionon many security topics, such as cyber security, CISSP, CISA, Security , and others.When not consulting, teaching, or writing, Michael enjoys 1960s muscle cars andhas a slot in his garage for a new project car.You can reach Michael by email at MikeG@thesolutionfirm.com.xix
xxCertified Ethical Hacker (CEH) Cert GuideDedicationIn loving memory of my mother-in-law, Elvira Estrello Cuellar, who always stood behind me,encouraged me, and prayed that all my dreams would come true.
AcknowledgmentsAcknowledgmentsI would like to offer a big “thank you” to Christine, for her help and understandingduring the long hours that such a project entails. I also want to thank Curley, Betty,Gen, Alice, and all of my family. A special thanks to the people of Pearson IT Certification, who helped make this project a reality, including Betsy Brown. I would alsolike to thank my technical editors, Brock Pearson and Tatyana Zidarov.Finally, I would like to acknowledge all the dedicated security professionals whocontributed “In the Field” elements for this publication. They include Darla Bryant,Guy Bruneau, Ron Bandes, Jim Cowden, Laura Chappell, Rodney Fournier, PeteHerzog, Bryce Gilbrith, George Mays, Mark “Fat Bloke” Osborn, Donald L. Pipkin, Shondra Schneider, and Allen Taylor.xxi
xxiiCertified Ethical Hacker (CEH) Cert GuideWe Want to Hear from You!As the reader of this book, you a
x Certified Ethical Hacker (CEH) Cert Guide Trojan and Backdoor Countermeasures 238 Chapter Summary 240 Exam Preparation Tasks 241 Review All Key Topics 241 Define Key Terms 242 Command Reference to Check Your Memory 242 Exercises 243 6.1 Finding Malicious Programs 243 6.2 Using a Scrap Document to Hide Malicious Code 244
CERTIFIED ETHICAL HACKERCERTIFIED ETHICAL HACKER 0101 CERTIFIED ETHICAL HACKER v11 Demanded by Employers. Respected by Peers. CERTIFIED ETHICAL HACKER 02 Ê Û â Ü æ Ô ¶ Ø å ç Ü Ø ç Û Ü Ö Ô ß » Ô Ö Þ Ø å ² .
The Certified Ethical Hacker program is a trusted and respected ethical hacking training Program that any information security professional will need. Since its inception in 2003, the Certified Ethical Hacker has been the absolute choice of the industry globally.
CEH Certified Ethical Hacker. Study Guide Version 9 Sean-Philip Oriyano. Development Editor: Kim Wimpsett . Exam 312-50 Exam Objectives Assessment Test Answers to Assessment Test Chapter 1: Introduction to Ethical Hacking Hacking: the Evolution So, What Is an Ethical Hacker? Summary
The Certified Ethical Hacker (CEH v10) program is a trusted and respected ethical hacking training Program that any information security professional will need. Since its inception in 2003, the Certified Ethical Hacker has been the absolute choice of the industry globally. It is a respected certification in the
The Certified Ethical Hacker (C EH v10) program is a trusted and respected ethical hacking training Program that any information security professional will need. Since its inception in 2003, the Certified Ethical Hacker has been the absolute choice of the industry globally. It is a respected certification in the industry and is listed as
CERTIFIED ETHICAL HACKER 03 Certiied Ethical Hacker (CEH) Version 11 CEH provides an in-depth understanding of ethical hacking phases, various attack vectors, and preventative countermeasures. It will teach you how hackers think and act maliciously so that you will be better positioned to set up your security infrastructure and defend future .
The Certified Ethical Hacker (C EH v10) program is a trusted and respected ethical hacking training Program that any information security professional will need. Since its inception in 2003, the Certified Ethical Hacker has been the absolute choice of the industry globally. It is a respected certification in the industry and is listed as
The Certified Ethical Hacker program is a trusted and respected ethical hacking training Program that any information security professional will need. Since its inception in 2003, the Certified Ethical Hacker has been the absolute choice of the industry globally. It is a respected certification in the industry and is listed as a baseline .
