Certified Ethical Hacker (CEH) Cert Guide

Michael Gregg (CISSP, SSCP, CISA, MCSE, MCT, CTT+, A+, N+, Security+, CCNA, CASP, CISA, CISM, CEH, CHFI, and GSEC) is the founder and president of Superior Solutions, Inc., a Houston, Texas-based IT security consulting firm. Superior Solutions performs security assessments and penetration testing for Fortune 1000 firms. The company has performed security assessments for private, public, and governmental agencies. Its Houston-based team travels the country to assess, audit, and provide training services.   Michael is responsible for working with organizations to develop cost-effective and innovative technology solutions to security issues and for evaluating emerging technologies. He has more than 20 years of experience in the IT field and holds two associate’s degrees, a bachelor’s degree, and a master’s degree. In addition to coauthoring the first, second, and third editions of Security Administrator Street Smarts, Michael has written or co-authored 14 other books, including Build Your Own Security Lab: A Field Guide for Network Testing (Wiley, 2008); Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of an Insecure Network (Syngress, 2006); Certified Ethical Hacker Exam Prep 2 (Que, 2006); and Inside Network Security Assessment: Guarding Your IT Infrastructure (Sams, 2005).   Michael has been quoted in newspapers such as the New York Times and featured on various television and radio shows, including NPR, ABC, CBS, Fox News, and others, discussing cyber security and ethical hacking. He has created more than a dozen IT security training security classes. He has created and performed video instruction on many security topics, such as cyber security, CISSP, CISA, Security+, and others.   When not consulting, teaching, or writing, Michael enjoys 1960s muscle cars and has a slot in his garage for a new project car.   You can reach Michael by email at MikeG@thesolutionfirm.com.

Introduction xxiii

Chapter 1 Ethical Hacking Basics 3

“Do I Know This Already?” Quiz 3

Foundation Topics 6

Security Fundamentals 6

Goals of Security 7

Risk, Assets, Threats, and Vulnerabilities 8

Defining an Exploit 10

Security Testing 10

No-Knowledge Tests (Black Box) 11

Full-Knowledge Testing (White Box) 11

Partial-Knowledge Testing (Gray Box) 11

Types of Security Tests 12

Hacker and Cracker Descriptions 13

Who Attackers Are 15

Hacker and Cracker History 16

Ethical Hackers 17

Required Skills of an Ethical Hacker 18

Modes of Ethical Hacking 19

Test Plans–Keeping It Legal 21

Test Phases 23

Establishing Goals 24

Getting Approval 25

Ethical Hacking Report 25

Vulnerability Research–Keeping Up with Changes 26

Ethics and Legality 27

Overview of U.S. Federal Laws 28

Compliance Regulations 30

Chapter Summary 31

Exam Preparation Tasks 32

Review All Key Topics 32

Hands-On Labs 32

Lab 1-1 Examining Security Policies 32

Review Questions 33

Define Key Terms 36

View Recommended Resources 36

Chapter 2 The Technical Foundations of Hacking 39

“Do I Know This Already?” Quiz 39

Foundation Topics 42

The Attacker’s Process 42

Performing Reconnaissance and Footprinting 42

Scanning and Enumeration 43

Gaining Access 44

Escalation of Privilege 45

Maintaining Access 45

Covering Tracks and Planting Backdoors 45

The Ethical Hacker’s Process 46

National Institute of Standards and Technology 47

Operational Critical Threat, Asset, and Vulnerability Evaluation 47

Open Source Security Testing Methodology Manual 48

Security and the Stack 48

The OSI Model 48

Anatomy of TCP/IP Protocols 51

 The Application Layer 53

 The Transport Layer 57

 The Internet Layer 60

 The Network Access Layer 65

Chapter Summary 67

Exam Preparation Tasks 67

Review All Key Topics 67

Define Key Terms 68

Exercises 68

2.1 Install a Sniffer and Perform Packet Captures 68

2.2 List the Protocols, Applications, and Services Found at Each Layer of the Stack 70

Review Questions 71

Suggested Reading and Resources 75

Chapter 3 Footprinting and Scanning 77

“Do I Know This Already?” Quiz 77

Foundation Topics 80

The Seven-Step Information-Gathering Process 80

Information Gathering 80

 Documentation 80

 The Organization’s Website 81

 Job Boards 83

 Employee and People Searches 84

 EDGAR Database 87

 Google Hacking 88

 Usenet 92

 Registrar Query 93

 DNS Enumeration 96

Determine the Network Range 101

 Traceroute 101

Identifying Active Machines 104

Finding Open Ports and Access Points 105

Nmap 112

SuperScan 115

THC-Amap 115

Scanrand 116

Hping 116

Port Knocking 117

War Dialers 117

War Driving 118

OS Fingerprinting 118

Active Fingerprinting Tools 120

Fingerprinting Services 122

 Default Ports and Services 122

 Finding Open Services 123

Mapping the Network Attack Surface 125

Manual Mapping 125

Automated Mapping 125

Chapter Summary 127

Exam Preparation Tasks 127

Review All Key Topics 127

Define Key Terms 128

Command Reference to Check Your Memory 128

Exercises 129

3.1 Performing Passive Reconnaissance 129

3.2 Performing Active Reconnaissance 130

Review Questions 131

Suggested Reading and Resources 134

Chapter 4 Enumeration and System Hacking 137

“Do I Know This Already?” Quiz 137

Foundation Topics 140

Enumeration 140

Windows Enumeration 140

Windows Security 142

NetBIOS and LDAP Enumeration 143

 NetBIOS Enumeration Tools 145

SNMP Enumeration 148

Linux/UNIX Enumeration 149

NTP Enumeration 150

SMTP Enumeration 150

DNS Enumeration 151

System Hacking 151

Nontechnical Password Attacks 151

Technical Password Attacks 152

 Password Guessing 152

 Automated Password Guessing 153

 Password Sniffing 154

 Keystroke Loggers 155

Privilege Escalation and Exploiting Vulnerabilities 155

Exploiting an Application 156

Exploiting a Buffer Overflow 156

Owning the Box 157

 Authentication Types 158

 Cracking the Passwords 159

Hiding Files and Covering Tracks 162

 File Hiding 163

Chapter Summary 165

Exam Preparation Tasks 165

Review All Key Topics 165

Define Key Terms 166

Command Reference to Check Your Memory 166

Exercise 166

4.1 NTFS File Streaming 166

Review Questions 167

Suggested Reading and Resources 171

Chapter 5 Linux and Automated Assessment Tools 173

“Do I Know This Already?” Quiz 173

Foundation Topics 176

Linux 176

Linux or Windows? Picking the Right Platform 176

Linux File Structure 177

Linux Basics 179

 Passwords and the Shadow File 182

 Linux Passwords 183

Compressing, Installing, and Compiling Linux 185

Hacking Linux 186

Reconnaissance 186

Scanning 186

Enumeration 188

Gaining Access 188

Privilege Escalation 190

Maintaining Access and Covering Tracks 191

Hardening Linux 194

Automated Assessment Tools 196

Automated Assessment Tools 196

 Source Code Scanners 197

 Application-Level Scanners 197

 System-Level Scanners 198

Automated Exploit Tools 201

Chapter Summary 203

Exam Preparation Tasks 204

Review All Key Topics 204

Define Key Terms 204

Command Reference to Check Your Memory 205

Exercises 205

5.1 Downloading and Running Backtrack 205

5.2 Using Backtrack to Perform a Port Scan 206

5.3 Creating a Virtual Machine 206

5.4 Cracking Passwords with John the Ripper 207

Review Questions 208

Suggested Reading and Resources 210

Chapter 6 Trojans and Backdoors 213

“Do I Know This Already?” Quiz 213

Foundation Topics 216

Trojans 216

Trojan Types 216

Trojan Ports and Communication Methods 217

Trojan Goals 219

Trojan Infection Mechanisms 219

Effects of Trojans 220

Trojan Tools 221

Distributing Trojans 225

Trojan Tool Kits 226

Covert Communication 227

Covert Communication Tools 231

 Port Redirection 232

 Other Redirection and Covert Tools 234

Keystroke Logging and Spyware 235

Hardware 236

Software 236

Spyware 237

Trojan and Backdoor Countermeasures 238

Chapter Summary 240

Exam Preparation Tasks 241

Review All Key Topics 241

Define Key Terms 242

Command Reference to Check Your Memory 242

Exercises 243

6.1 Finding Malicious Programs 243

6.2 Using a Scrap Document to Hide Malicious Code 244

6.3 Using Process Explorer 244

Review Questions 246

Suggested Reading and Resources 248

Chapter 7 Sniffers, Session Hijacking, and Denial of Service 251

“Do I Know This Already?” Quiz 251

Foundation Topics 254

Sniffers 254

Passive Sniffing 254

Active Sniffing 255

 Address Resolution Protocol 255

 ARP Poisoning and Flooding 256

Tools for Sniffing 260

 Wireshark 260

 Other Sniffing Tools 262

Sniffing and Spoofing Countermeasures 263

Session Hijacking 264

Transport Layer Hijacking 264

 Predict the Sequence Number 265

 Take One of the Parties Offline 267

 Take Control of the Session 267

Application Layer Hijacking 267

 Session Sniffing 267

 Predictable Session Token ID 268

 Man-in-the-Middle Attacks 268

 Man-in-the-Browser Attacks 269

 Client-Side Attacks 269

Session-Hijacking Tools 271

Preventing Session Hijacking 273

Denial of Service, Distributed Denial of Service, and Botnets 274

Types of DoS 275

 Bandwidth Attacks 276

 SYN Flood Attacks 277

 Program and Application Attacks 277

Distributed Denial of Service 278

 DDoS Tools 280

Botnets 282

DoS, DDOS, and Botnet Countermeasures 285

Summary 288

Exam Preparation Tasks 289

Review All Key Topics 289

Define Key Terms 290

Exercises 290

7.1 Scanning for DDoS Programs 290

7.2 Using SMAC to Spoof Your MAC Address 291

Review Questions 291

Suggested Reading and Resources 294

Chapter 8 Web Server Hacking, Web Applications, and Database Attacks 297

“Do I Know This Already?” Quiz 297

Foundation Topics 300

Web Server Hacking 300

Scanning Web Servers 302

 Banner Grabbing and Enumeration 302

Web Server Vulnerability Identification 306

Attacks Against Web Servers 307

 IIS Vulnerabilities 308

 Securing IIS and Apache Web Servers 312

Web Application Hacking 314

Unvalidated Input 315

Parameter/Form Tampering 315

Injection Flaws 315

Cross-Site Scripting and Cross-Site Request Forgery Attacks 316

Hidden Field Attacks 317

 Other Web Application Attacks 318

Web-Based Authentication 319

Web-Based Password Cracking and Authentication Attacks 320

 Cookies 324

 URL Obfuscation 324

Intercepting Web Traffic 326

Database Hacking 329

Identifying SQL Servers 330

SQL Injection Vulnerabilities 331

SQL Injection Hacking Tools 333

Summary 334

Exam Preparation Tasks 335

Review All Key Topics 335

Define Key Terms 336

Exercise 336

8.1 Hack the Bank 336

Review Questions 337

Suggested Reading and Resources 339

Chapter 9 Wireless Technologies, Mobile Security, and Attacks 341

“Do I Know This Already?” Quiz 341

Foundation Topics 344

Wireless Technologies 344

Wireless History 344

Satellite TV 344

Cordless Phones 346

Cell Phones and Mobile Devices 346

Mobile Devices 348

 Smartphone Vulnerabilities and Attack Vectors 349

 Android 350

 iOS 352

 Windows Phone 8 352

 BlackBerry 353

 Mobile Device Management and Protection 353

Bluetooth 354

Wireless LANs 355

Wireless LAN Basics 355

Wireless LAN Frequencies and Signaling 357

Wireless LAN Security 358

Wireless LAN Threats 361

 Eavesdropping 362

 Configured as Open Authentication 363

 Rogue and Unauthorized Access Points 363

 Denial of Service (DoS) 365

Wireless Hacking Tools 366

 Discover WiFi Networks 366

 Perform GPS Mapping 367

 Wireless Traffic Analysis 367

 Launch Wireless Attacks 368

 Crack and Compromise the WiFi Network 368

Securing Wireless Networks 369

 Defense in Depth 369

 Site Survey 371

 Robust Wireless Authentication 372

 Misuse Detection 373

Summary 374

Exam Preparation Tasks 374

Review All Key Topics 375

Define Key Terms 375

Review Questions 375

Suggested Reading and Resources 378

Chapter 10 IDS, Firewalls, and Honeypots 381

“Do I Know This Already?” Quiz 381

Intrusion Detection Systems 385

IDS Types and Components 385

Pattern Matching and Anomaly Detection 387

Snort 388

IDS Evasion 392

 IDS Evasion Tools 394

Firewalls 395

Firewall Types 395

 Network Address Translation 395

 Packet Filters 396

 Application and Circuit-Level Gateways 398

 Stateful Inspection 399

Identifying Firewalls 400

Bypassing Firewalls 402

Honeypots 407

Types of Honeypots 408

Detecting Honeypots 409

Summary 410

Exam Preparation Tasks 411

Review All Key Topics 411

Define Key Terms 411

Review Questions 412

Suggested Reading and Resources 414

Chapter 11 Buffer Overflows, Viruses, and Worms 417

“Do I Know This Already?” Quiz 417

Foundation Topics 420

Buffer Overflows 420

What Is a Buffer Overflow? 420

Why Are Programs Vulnerable? 421

Understanding Buffer-Overflow Attacks 423

Common Buffer-Overflow Attacks 426

Preventing Buffer Overflows 427

Viruses and Worms 429

Types and Transmission Methods of Viruses 429

Virus Payloads 431

History of Viruses 432

Well-Known Viruses 434

 The Late 1980s 434

 The 1990s 434

 2000 and Beyond 435

Virus Tools 438

Preventing Viruses 439

Antivirus 440

Malware Analysis 442

 Static Analysis 442

 Dynamic Analysis 445

Summary 446

Exam Preparation Tasks 447

Review All Key Topics 447

Define Key Terms 447

Exercises 448

11.1 Locating Known Buffer Overflows 448

11.2 Review CVEs and Buffer Overflows 449

Review Questions 449

Suggested Reading and Resources 451

Chapter 12 Cryptographic Attacks and Defenses 453

“Do I Know This Already?” Quiz 453

Foundation Topics 456

Functions of Cryptography 456

History of Cryptography 457

Algorithms 459

Symmetric Encryption 460

 Data Encryption Standard (DES) 461

 Advanced Encryption Standard (AES) 463

 Rivest Cipher (RC) 463

 Asymmetric Encryption (Public Key Encryption) 464

 RSA 465

 Diffie-Hellman 465

 ElGamal 466

 Elliptic Curve Cryptography (ECC) 466

Hashing 466

 Digital Signature 467

 Steganography 468

 Steganography Operation 469

 Steganographic Tools 470

 Digital Watermark 472

 Digital Certificates 473

Public Key Infrastructure 474

Trust Models 475

 Single Authority 475

 Hierarchical Trust 476

 Web of Trust 476

Protocols, Standards, and Applications 477

Encryption Cracking and Tools 479

 Weak Encryption 481

Encryption-Cracking Tools 482

Summary 483

Exam Preparation Tasks 484

Review All Key Topics 484

Define Key Terms 484

Exercises 485

12.1 Examining an SSL Certificate 485

12.2 Using PGP 486

12.3 Using a Steganographic Tool to Hide a Message 487

Review Questions 487

Suggested Reading and Resources 490

Chapter 13 Physical Security and Social Engineering 493

“Do I Know This Already?” Quiz 493

Foundation Topics 496

Physical Security 496

Threats to Physical Security 496

Equipment Controls 499

 Locks 499

 Fax Machines 504

Area Controls 505

Location Data and Geotagging 506

Facility Controls 508

Personal Safety Controls 510

 Fire Prevention, Detection, and Suppression 510

Physical Access Controls 511

 Authentication 511

Defense in Depth 512

Social Engineering 513

Six Types of Social Engineering 513

Person-to-Person Social Engineering 514

Computer-Based Social Engineering 514

Reverse Social Engineering 515

Policies and Procedures 515

 Employee Hiring and Termination Policies 516

 Help Desk Procedures and Password Change Policies 516

 Employee Identification 516

 Privacy Policies 517

 Governmental and Commercial Data Classification 518

 User Awareness 519

Summary 519

Exam Preparation Tasks 520

Review All Key Topics 520

Define Key Terms 521

Exercises 521

13.1 Biometrics and Fingerprint Recognition 521

Review Questions 522

Suggested Reading and Resources 524

Chapter 14 Final Preparation 527

Tools for Final Preparation 527

Pearson Cert Practice Test Engine and Questions on the CD 527

 Install the Software from the CD 527

 Activate and Download the Practice Exam 528

 Activating Other Exams 529

 Premium Edition 529

Memory Tables 530

End-of-Chapter Review Tools 530

Suggested Plan for Final Review and Study 530

Summary 532

Glossary 535

Practice Exam 1 EC-Council CEH 312-50 561

Practice Exam 2 EC-Council CEH 312-50 603

Appendix A Answers to the “Do I Know This Already?” Quizzes and Review Questions (CD only)

Appendix B Memory Tables (CD only)

Appendix C Memory Table Answer Key (CD only)

 

9780789751270   TOC   11/4/2013