CEH v7 and v8 Notes



Terms
o
Bit flipping = integrity attack, predictable outcomes
o
Tiger team = group of people testing a system
o
TOE = target of evaluation
o
Threat = can harm or cause loss to IT asset
o
Vulnerability = weakness exploited by a threat
o
FISMA = gov’t framework for security
3 main phases
o
Preparation
o
Assessment
o
Conclusion
5 stages of a hack
o
Recon
o
Scanning and enumeration
o
Gaining access (then escalation of privledges)
o
Maintaining access
o
Covering tracks

Cisco Aironet default username/password: Cisco/Cisco

websites



o
www.wigle.net
o
www.fastandeasyhacking.com (Armitage)
o
www.sectools.org
Google search
o
Site:
o
Cache:
o
Intitle:
o
inURL:
Cryptography
o
XOR (exclusive Or) = stream cipher, very fast, key length important
o
Block vs stream ciphers = what is difference?
o
Salt = adding random bits to a hashing algorithm
Linux
o
Single user mode = super user account

Must be physically at machine

“linux single” = command

Sidejacking = replay cookies for passwords and SSL

ADS = alternate data streaming, hide files inside files

Disgruntled employee is single biggest threat

Physical security
o
Physical measures: locks, lighting
o
Technical measures: authentication
o
Operational measures: policies, procedures

Binary = even numbers end in 0, odd numbers end in 1

XSS
o
Know what indicators of XSS are in URL

Karens Cookie Viewer

Tools

o
Nmap
o
Netcat = swiss army knife of TCPIP hacking
o
Dig = Domain Information Groper (simulates a DNS server)
o
Nessus = most common vulnerability scanner
o
Metasploit
o
Ettercap = packet sniffer, like Wireshark
o
Snort
o
Hping3 commands



RA flag = reset/closed
Null session?
Web Pages
o
CGI = Common Gateway Interface, can run scripts, all run as same user
o
SSI = Server Side Includes, inside HTML but evaluated on server
o
Parameter tampering = URL tampering
Check
o
TCP Flags
o
ICMP codes
o
Nmap codes (Quizlet)
SQL
o

SA flag = open
Enumeration
o


Single quote begins SQL injection attempts
Wireless
o
Rogue access points = mis-association attack
o
Mac spoofing tools = TMAC, MAC




o
BSA = footprint, basic service area
o
BSS = basic service set
o
ESS = extended service set, with multiple AP, moving AP’s is roaming
Bluetooth
o
Bluesniffing
o
Bluesmacking
o
Bluescarfing
o
Bluejacking
Viruses
o
Sigverif
o
Tripwire
o
HK-local machine
o
Sheepdip system = standalone AV checker computer
o
Stages of virus life?
Attacks
o
Phlashing = flashing or bricking a system, physical damage
o
Session hijacking = see sequence numbers increasing with ACK (see pg 300 AIO)
o
Review pg 304 AIO
Assessments
o
o
o
Security assessment = any test of security on a network or system

Security audit = vulnerability assessment (find but don’t test)

Penetration test = verification requires trying it
Types of penetration tests

External = analyzes publically available information

Internal assessment = within organization

Black box = no prior knowledge of infrastructure at all, longest to do

Grey box = limited knowledge

White box = internal knowledge of org
Phases

Pre-attack

Attack


Penetrate

Acquire targets

Execute attack

Elevate privledges
Post-attack

Remove

Restore


1 - 2 - types of nmap scans and their responsese
3 - ICMP codes
4 - TCP handshake
6 - dig syntax
7 - hping2 syntax
8 - wireshark syntax
9 - wireshark output
10 - snort syntax
11 - block/stream cipher
13 - hashing
14 - LANMan Hash
15 - How many bits is xyz encryption?
16 - MAC authentication
17 - DHCP snooping
18 - SQL injection
19 - XSS