CEHv8 Study Guide











TCP/IP Flags
o # CWR ECE URG ACK PSH RST SYN FIN
# CWR - Congestion Window Reduced
# ECE - Explicit Congestion Notification echo
# URG - Urgent
# ACK - Acknowledgement
# PSH - Push
# RST - Reset
# SYN - Synchronize
# FIN - Finished
What three scans don’t work against Windows?
o FIN, XMAS, and NULL
o Windows machines give no response, even if a port is closed, which violates RFC 793
Three-way TCP handshake
o SYN, SYN/ACK, ACK
Loose source routing
o Loose Source Routing is a technique whereby the sender of a packet can specify the
route that a packet should take through the network. This enables a hacker to read
traffic without being the ultimate destination.
IDLE scan
o Allows port scanning without sending a single packet to the target directly from the
hackers IP address. Open and closed ports are detected by observing “fragment
identification” number changes on a zombie machine.
FTP Bounce Scan
o Tricks an FTP server into scanning a host, thus maintaining the anonymity of the
attacker.
SYN scan
o In a SYN scan, only SYN packets are sent, not ACK packets, so it is stealthy – not
appearing as a completed connection in firewall logs.
Connect Scan
o Forms a complete TCP connection. It is the most reliable form of scanning.
Three types of scanning
o Port
o Network
o Vulnerability
IP Fragments
o IP fragments are packets which carry only part of a TCP packet, and must be
reassembled. They can be used to evade network intrusion detection.
Daisy chaining















o Hackers who get away with database threat
SOAP (Simple Object Access Protocol)
o A protocol for exchanging XML-based messages using HTTP or SMTP as the transport.
SAM (Security Accounts Manager)
o A database of usernames, passwords, and permissions in the Windows architecture.
Null session
o An unauthenticated connection to a network share by an anonymous user on an
unidentified system.
NOP
o A command that tells the processor to do nothing. Almost all processors have a NOP
instruction that performs a null operation. In the Intel architecture, the NOP instruction
is one byte long and translates to 0x90 in machine code. A long run of NOP instructions
is called a NOP slide or sled. The CPU does nothing until it gets back to the main event
(which precedes the return pointer).
Honeynet
o An entire virtual network that is presented as a large honeypot.
HFS = Hierarchical File System
o A file system used in Mac OS X. It stores data in a top to bottom organization structure.
HTTP Commands
o GET = request a file from a web server
Firewalking
o A method to collect information about a remote network protected by a firewall. Uses
trace route-like IP packet analysis to determine whether a data packet can pass through
the packet-filtering device/ firewall from the attackers host to the victims host.
Extended Stack Pointer (ESP)
o A location identifier used to access parameters passed into a subroutine as arguments.
Calling Procedure
o A software routine that passes control to a different software routine. When these
routines exist on separate computers, the systems often use Remote Procedure Call
(RPC) libraries. Also refers to function calls and subroutines.
Banner Grabbing
o A technique that enables a hacker to identify the type of OS or app. Request for a
banner often uses legit connection requests such as Telnet.
Daemon
o A background program that resides on a computer and services requests.
Cross-Site Scripting
o A computer security exploit that is used to execute a malicious script.
COBIT
o
OWSAP
o















Ettercap
Kismet
Aircrack-ng
Hping3
SSLstrip
CSRF (Cross Site Request Forgery)
Burp Cross Site Request Forgery Testing
Wireshark screenshot
o
John the Ripper
o
Cain and Abel
o
rc5 vs md5
o
sc query command
o
metasploit payload
o
Snort
o
pivot attacks
o