Cleveland Institute of Electronics Bookstore Course
Introduction to
Certified Ethical
Hacker certification
Lessons 1141B through 1150B
Enroll Online
For Version 7.1
1
Table of Contents
Chat with Your Instructor ................................................................................................... 2
Chapter 1— Ethical Hacking .............................................................................................. 3
Chapter 2— Footprinting and Reconnaissance................................................................... 4
Lesson 1141B Examination ............................................................................................ 5
Chapter 3— Scanning ......................................................................................................... 7
Chapter 4— Enumeration ................................................................................................... 8
Lesson 1142B Examination ............................................................................................ 9
Chapter 5— System Hacking............................................................................................ 11
Lesson 1143B Examination .......................................................................................... 12
Chapter 6— Trojans and Backdoors ................................................................................. 14
Chapter 7— Viruses and Worms ...................................................................................... 15
Lesson 1144B Examination .......................................................................................... 16
Chapter 8— Sniffers ......................................................................................................... 18
Lesson 1145B Examination .......................................................................................... 19
Chapter 9— Social Engineering ....................................................................................... 21
Chapter 10— Denial of Service ........................................................................................ 22
Lesson 1146B Examination .......................................................................................... 23
Chapter 11— Web Servers and Applications ................................................................... 25
Lesson 1147B Examination .......................................................................................... 26
Chapter 12— Hacking Wireless Networks ....................................................................... 28
Lesson 1148B Examination .......................................................................................... 29
Chapter 13— IDS, Firewalls, and Honeypots .................................................................. 31
Chapter 14— Buffer Overflows........................................................................................ 32
Lesson 1149B Examination .......................................................................................... 33
Chapter 15— Cryptography.............................................................................................. 35
Chapter 16— Penetration Testing ..................................................................................... 36
Lesson 1150B Examination .......................................................................................... 37
2
Chat with Your Instructor
This Study Guide will offer some suggestions about how to cover the material in the
class. One of the things you should know, regardless of the class you are taking, is that
the instructor can’t be the sole repository of information for the class – and neither can
the textbook. Technology simply moves too quickly for that to be a viable option. There
is a whole Internet out there. Chances are, someone, somewhere has encountered
whatever problem you are having and has solved it. And chances are, someone who has
solved your problem has posted the solution on the web. It might not be the exact
solution, but it will get you moving toward solving the problem.
Having said that, the vaguer an assignment is, the more you will learn from it. The author
of the text will walk you through some possible attacks, which will help you to, at the
minimum, harden your systems and inform your users. The tutorial sections sprinkled
throughout the chapters are very much like this. We do not want to inhibit you in any way
if possible; we want you to think what needs to be improved. Of course, there are always
students who need more direction and will need to be dealt with individually.
Nevertheless, this is college. Students need to explore – not be led by the nose step by
step.
This book assumes that you have knowledge of basic computer and network terminology.
It also is not going to make you a hacker, nor is it enough knowledge for a guarantee that
you can sit for the exam. The one thing we want to make perfectly clear is that this course
is designed to introduce, not make proficient. It uses one of the resources prepared by
EC-Council for the exam, but it is not directly associated with them. It is our attempt to
round your knowledge and maybe cause you to want to learn more about the topics
inside.
If you have a technical problem, we recommend the following:

First, check the textbook that accompanies the study guide.

Research some of the information at the appropriate websites (a search using the
key terms may also be helpful.)

Feel free to call the instruction department during business hours (8:30 AM to 6
PM Eastern time), Monday through Friday, and Saturday during the weekend
hours (8:30 AM to 5 PM Eastern time). Be prepared to describe which lesson you
are working on and the problem you are having.
Instructional Support Addresses and Phone Numbers
Main Support Help Line:
(800) 243-6446 or (216) 781-9400
E-mail address:
faculty@cie-wc.edu
Instructional Support is available business hours (Eastern time) Monday through
Saturday.
Mailing address:
Cleveland Institute of Electronics
1776 East 17th Street
Cleveland, OH 44114
3
Chapter 1— Ethical Hacking
Overview
The first chapter of a broad ranging information security course is always about setting the tone, and
establishing the fundamentals such as vocabulary, context, and most of all, why this information is
important. It also discusses some of the basic legal issues and moral dilemmas that security researchers face
as they practice in this profession.
Objectives

Understand the issues plaguing the information security world

Gain knowledge on various hacking terminologies

Learn the basic elements of information security
To be successful in this lesson:




Read Chapter 1
Read Study Guide for Lesson 1141B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 251 through 253
(Answers on pages 298 & 299)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the next chapter and the exam continue to the next lesson.
4
Chapter 2— Footprinting and Reconnaissance
Overview
The first step of any attack is reconnaissance and information gathering. This chapter goes beyond the
obvious and provides a checklist of ways to learn as much as possible about a target. Using both passive
and active techniques, this is the most important step of the attack process.
Objectives

Understand the term Footprinting

Learn the areas and information that hackers seek

Gain knowledge on information gathering tools and methodology
To be successful in this lesson:




Read Chapter 2
Read Study Guide for Lesson 1141B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 253 through 256
(Answers on pages 299 & 300)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
5
Lesson 1141B Examination
Please complete the following exam. You may use the electronic grading system for quicker
response. Simply log on to www.study-electronics.com and enter your credentials. Once the exam
has been submitted, your results will be returned within 72 hours. You may also e-mail your
answers to faculty@cie-wc.edu, or fax them to us at 1-216-781-0331. If you have any questions,
please contact the Instruction Department.
1. This vulnerability test is ordered when the client wants the most realistic type of test possible.
(1) Red Hat test
(3) Grey Hat test
(2) Black Hat test
(4) White Hat test
2. When considering the types of attack listed below, which would be considered the most
dangerous?
(1) Malicious code attacks
(3) Social Engineering attacks
(2) Application level attacks
(4) Network-based attacks
3. The best attacks often exploit known bugs or flaws.
(1) True
(2) False
4. Which term best describes students enrolled in an Ethical Hacker class?
(1) Black Hat
(3) White Hat
(2) Grey Hat
(4) None of these
5. Which of these choices would NOT be considered an attack?
(1) Violating the terms of a warning banner
(2) Intentionally gaining unauthorized access
(3) Compromising a weak password to gain access
(4) All of these are attacks
6. Which of these choices is the least important during the footprinting stage?
(1) Creative Internet searches
(2) Basic Internet searches
(3) Determine what discoveries are important
(4) Learn as much about the target as possible
7. This field increments by one each time the zone is updated.
(1) Refresh Rate
(3) Serial Number
(2) Retry Timer
(4) Expiry Timer
8. This is how long the secondary server will wait until before considering a zone to be dead.
(1) Refresh Rate
(3) Serial Number
(2) Retry Timer
(4) Expiry Timer
6
9. This Google hacking technique looks for potential numerical patterns within a query in order
to guess at files in locations that are not indexed.
(1) Find directory listings
(3) Directory services
(2) Incremental substitution
(4) Extension renaming
10. TOE is the acronym for ____.
(1) Trail of Evidence
(2) Target of Ease
(3) Terms of Exchange
(4) Target of Evaluation
END OF EXAMINATION
7
Chapter 3— Scanning
Overview
Once the attacker knows the outside addresses and, if possible, the inside topology, the network must be
footprinted and all operating systems and services identified and verified. This is a difficult step, as
defenses such as traffic filters and intrusion response ­systems will affect the attacker’s view of the network
and opportunities for attack.
Technical knowledge of scanning techniques, the protocols involved and why the network looks different
to an attacker than it does to an designer, engineer, or administrator are covered in this chapter.
Objectives

Understand the term port scanning, network scanning and vulnerability scanning

Understand the objectives of scanning

Understand banner grabbing using OS fingerprinting, Active Stack Fingerprinting, Passive
Fingerprinting and other techniques and tools
To be successful in this lesson:




Read Chapter 3
Read Study Guide for Lesson 1142B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 256 through 259
(Answers on pages 300 & 301)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the next chapter and the exam continue to the next lesson.
8
Chapter 4— Enumeration
Overview
Once the attacker knows the outside addresses and, if possible, the inside topology, the network must be
The attacker is getting eager to start doing some damage, but the disciplined ones know there is still some
work to be done. The live hosts, access points, and roles each host has needs to be understood better. The
enumeration chapter is about user accounts and logical topologies. In order to develop a real strategy, the
attacker must know what is happening above Layer 4.
Objectives

Learn the system hacking cycle

Understand Enumeration and its techniques

Understand null sessions and its countermeasures
To be successful in this lesson:




Read Chapter 4
Read Study Guide for Lesson 1142B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 259 through 262
(Answers on pages 301 & 302)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
9
Lesson 1142B Examination
Please complete the following exam. You may use the electronic grading system for quicker
response. Simply log on to www.study-electronics.com and enter your credentials. Once the exam
has been submitted, your results will be returned within 72 hours. You may also e-mail your
answers to faculty@cie-wc.edu, or fax them to us at 1-216-781-0331. If you have any questions,
please contact the Instruction Department.
1. A TCP session is established when two hosts complete a handshake, but two other fields are
also included in in keeping the session organized. Those two fields are ____ and ____.
(1) Target port number
(5) Both 1 and 2
(2) Acknowledgement number
(6) Both 1 and 3
(3) Synchronization number
(7) Both 2 and 4
(4) Sequence number
(8) Both 2 and 3
2. Using inverse scanning methods, Microsoft Windows hosts will respond with this flag when
confusing traffic is received on an open port.
(1) SYN
(4) URG
(2) ACK
(5) PSH
(3) FIN
(6) RST
3. This message type is sent out on the internal local network segment to discover responders.
(1) Maintenance
(3) Sequenced
(2) Broadcast
(4) Ping
4. Echo requests are sent out during an ICMP scan; at the same time echo replies are
anticipated. Which type and code represents an Echo reply?
(1) Type 0 code 8
(3) Type 8 code 0
(2) Type 0 code 0
(4) Type 8 code 8
5. The protocol responsible for translating the logical network address into the physical address
is ____.
(1) ARP
(3) MAC
(2) RFC
(4) ICMP
6. Using LDAP, this identifies a user object uniquely.
(1) UIN
(2) OID
(3) DUN
(4) DN
7. Which value is the most restrictive when considering the three possible values for the
RestrictAnonymous key?
(1) 1
(2) 2
(3) 3
(4) 0
10
8. Which port will be used when running SMB over TCP/IP on a PC running a Microsoft OS
when NetBT is disabled?
(1) 445
(2) 389
(3) 139
(4) 111
9. In an attack using SNMP for enumeration, the highest level objective would be to access the
____.
(1) NMS
(2) MIB
(3) OID
(4) All are correct
10. Which of these could be used to administer LDAP?
(1) MMC
(2) Jxplorer
(3) Ldap.exe
(4) All could be used
END OF EXAMINATION
11
Chapter 5— System Hacking
Overview
Finally, the target is well enough understood to begin the gaining access and mainlining access phases.
Perhaps a privileged user account can be compromised. Maybe economic espionage is possible. The
attacker may have noticed unpatched systems exist that can be attacked from commonly available exploit
tools. This chapter explores these vectors in detail.
Objectives

Understand the different types of passwords

Identify the different types of password attacks

Identify password cracking techniques as well as countermeasures
To be successful in this lesson:




Read Chapter 3
Read Study Guide for Lesson 1143B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 262 through 265
(Answers on pages 302 & 303)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
12
Lesson 1143B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. Which of these identifies the practice of hiding information inside other information in a
manner usually undetected by eye?
(1) $Data stream
(2) Steganography
(3) Encryption
(4) ADS
2. Rootkits provide root privileges automatically.
(1) True
(2) False
3. Which of these is considered a passive type of attack?
(1) Password sniffing
(2) Password guessing
(3) Replay
(4) Session Hijacking
(5) Document shredding
4. An attack that substitutes predetermined characters such as S with alternates such as $ using
regular expressions is known as a(n) ____ attack.
(1) Syllable
(2) Brute force
(3) Rule-based
(4) Hybrid
5. The most effective way of exploiting the primary weakness of the hashing algorithm in
passwords stored as hashes is ____.
(1) Hash reversal
(2) Substitution
(3) Collision
(4) None of these is effective
6. This data protection type is considered the easiest way to implement and manage.
(1) Smart Cards
(2) Passwords
(3) Keys
(4) USB keys
7. Which of these is not one of the three different types of privilege escalation?
(1) Horizontal
(2) Vertical
(3) De-escalation
(4) SIUD
8. Which of these is considered the most efficient and effective active online attack?
(1) Replay
(2) Password guessing
(3) Password sniffing
(4) Man-in-the-Middle
9. Which of these implementations uses the MD5 hashing algorithm?
(1) Kerberos
(2) NTLMv2
(3) LM
(4) All of them use it
13
10. Which location would not store passwords on a Windows host?
(1) Shadow file
(2) SAM file
(3) Repair file
(4) The registry
END OF EXAMINATION
14
Chapter 6— Trojans and Backdoors
Overview
If it is hard to attack the target directly, maybe the target will come to the attacker. This chapter builds on
the system hacking chapter and shows how techniques can be combined together to gain and maintain
access to systems. The chapter explores one of the oldest yet still very much relevant daily security
concerns.
Objectives

Define a Trojan

Identify overt and covert channels

Learn windows start up monitoring tools
To be successful in this lesson:




Read Chapter 6
Read Study Guide for Lesson 1144B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 265 through 268
(Answers on pages 304 & 305)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the next chapter and the exam continue to the next lesson.
15
Chapter 7— Viruses and Worms
Overview
If hosts that are of value to the attacker cannot be precisely targeted, the strategy may turn to attacking as
many as possible, in the shortest amount of time, to the greatest effect. If one piece of code can be written
that will then do all the work for the attacker, all the better. Knowing there are others in the world that will
capture your code, create a variant, and sent it back out may amplify the results. This chapter explores a
category of automated, self-powered attacks.
Objectives

Understand the computer virus and its history

Understand how does a computer get infected by viruses

Understand the difference between a virus and a worm
To be successful in this lesson:




Read Chapter 7
Read Study Guide for Lesson 1144B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 268 through 271
(Answers on pages 305 & 306)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
16
Lesson 1144B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. Programs that perform operations like opening the CD tray, changing the desktop image or
the screen resolution are considered this type of tool.
(1) Lamer
(2) Desktop control
(3) Bot
(4) Reverse shell
2. Which of these is not a CEH recognized category of malicious programs?
(1) Viruses
(2) Worms
(3) Malware
(4) Trojans and rootkits
3. This freeware tool is included in Windows to control and manage startup.
(1) Winpatrol
(2) Hijack This
(3) Msconfig
(4) Autoruns
4. A program that appears to perform desirable and necessary functions but performs other
functions that are not known or needed are known as ____.
(1) Rootkit
(2) Malicious software
(3) Backdoor
(4) Trojan
5. Installs an illicit server on the victim and then accesses from a client.
(1) Remote Access Trojan
(2) Denial of Service Trojan
(3) Data Sending Trojan
(4) FTP Trojan
6. A type of social engineering attack that is designed to waste the time of victims and consume
network bandwidth when these users e-mail news of the threat is called a ____.
(1) Network virus
(2) Stealth virus
(3) Hoax
(4) MBR virus
7. This statement represents a worm more than a virus.
(1)
(2)
(3)
(4)
Difficult to remove without damaging the system
Executes itself and can include its own spreader
Requires a user initiated event to spread and needs a carrier
Typically effects executable files; can hide in media files
8. This was the first working virus found in the wild.
(1) Elk Clone
(2) Reaper
(3) Creeper
(4) Wabbit
17
9. The ____ hides from the antivirus software and copies itself to a temporary location, leaving
infected files to be clean when scanned.
(1) Network virus
(2) Stealth virus
(3) Hoax
(4) MBR virus
10. The ____ overwrites the instructions at the disk location Cylinder 0, Head 0, Sector 1 and
then copies itself into RAM and onto other disks.
(1) Network virus
(2) Stealth virus
(3) Hoax
(4) MBR virus
END OF EXAMINATION
18
Chapter 8— Sniffers
Overview
Observing traffic is a piece of the puzzle between all of the techniques explored so far. It can be used for
information gathering, compromising sensitive data, or as a step in a sophisticated control technique. On
the defensive side, sniffing is a powerful troubleshooting, analysis, and testing technique. This chapter
shows how to make the rest of the information in this course observable to the most detailed level. It shows
how the importance of -understanding the higher-level concepts such as protocols and the expected events
of a technique can lead the way to both more efficient attacks and more efficient countermeasures.
Objectives

Understand sniffing and protocols vulnerable to it

Understand Address Resolution Protocol (ARP)

Understand what is Session Hijacking

Spoofing vs. Hijacking
To be successful in this lesson:




Read Chapter 8
Read Study Guide for Lesson 1145B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 271 through 273
(Answers on pages 306 & 307)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
19
Lesson 1145B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. A promiscuous mode driver tells the NIC to ignore this much of the first bits of the Layer 2
frame header.
(1) 12
(2) 24
(3) 48
(4) 56
2. Which of these is considered a passive sniffing technique?
(1) Mac duplicating
(2) MAC flooding
(3) Arp poisoning
(4) None of these
3. Protocol tracers are also called ____.
(1) Sniffers
(2) Tracers
(3) Sharks
(4) Filters
4. The technique that uses gratuitous ARP to distribute spoofed information is ____.
(1) Mac duplicating
(2) MAC flooding
(3) Arp poisoning
(4) None of these
5. Using the information a switch stores regarding network connectivity, it is possible to send
sufficient traffic to force the switch into fail safe or hub mode. The name of this process is
____.
(1) Mac duplicating
(2) MAC flooding
(3) Arp poisoning
(4) None of these
6. This is a security method that tests the ability of the human eye to interpret an image of a
deliberately distorted word.
(1) Captchas
(2) Backatchas
(3) Gotchas
(4) Fuzzies
7. Which of these is not one of the three server supported authentication methods?
(1) Application
(2) Basic
(3) Disk
(4) Volume
8. This protocol implementation supports “state.”
(1) HTTP1.0
(2) HTTP1.1
(3) HTTP2.0
(4) All support “state”
20
9. Protection imposed by an application can be circumvented by modifying either the source
code or the URL for the page and then reloading or resubmitting it.
(1) True
(2) False
10. The attack called ____ was originally known as CSS.
(1) CSX
(2) CMS
(3) CXS
(4) XSS
END OF EXAMINATION
21
Chapter 9— Social Engineering
Overview
The greatest weakness of any network will be the human element and the most cost effective
countermeasure is training. This chapter shows how humans can be deceived, misinformed or led to bad
judgment. They can also simply be taken advantage of even if they are not doing anything wrong. Without
proper and continuous training, awareness fades quickly and attackers can sense this over time and be
attracted to these vulnerable targets.
Objectives

Understand Social Engineering

Identify the different types of social engineering

Gain insights on Social Engineering threats and defense
To be successful in this lesson:




Read Chapter 9
Read Study Guide for Lesson 1146B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 273 through 276
(Answers on pages 307 & 308)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the next chapter and the exam continue to the next lesson.
22
Chapter 10— Denial of Service
Overview
Sometimes the objective of an attack is to embarrass the target. Reputation is perhaps the most valuable
asset to any organization. Since “non- techies” don’t understand the concept of DoS or DDoS attacks, it is
easy to create a sense that a network is not trustworthy simply by making its services inaccessible. There
are other reasons for these attacks as well; it might be as simple as an attacker or virus author testing out or
proving a theory. This chapter looks at how Denial of Service attacks are set up and how botnets that were
possibly setup by worm droppings or socially engineered installations of malware can coordinate in a large
scale event.
Objectives

Understand a Denial of Service Attack

Gain insights on Distributed Denial of Service Attacks

Assess DoS/DDoS Attack Tools
To be successful in this lesson:




Read Chapter 10
Read Study Guide for Lesson 1146B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 276 through 279
(Answers on pages 308 & 309)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
23
Lesson 1146B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. This type of attack accounts for close to 70% of the socially engineered attack, according to
some surveys.
(1) Social proof
(2) Reverse social engineering
(3) Inside jobs
(4) None of these
2. This is considered to be the most difficult attack type to execute.
(1) Social proof
(2) Reverse social engineering
(3) Inside jobs
(4) None of these
3. The act of gaining sensitive information on a particular company by sifting through the trash
is called ____.
(1) Dumpster diving
(2) Trash tossing
(3) Rectangular research
(4) All of these are used
4. This is widely considered the weakest link in network security.
(1) WAPs
(2) Media files
(3) Honeypots
(4) Users
5. Which of these would be considered social engineering of physical controls?
(1) Piggybacking
(2) Shoulder surfing
(3) Tailgating
(4) All of them
6. A DDoS attack is limited to three levels of hierarchical control.
(1) True
(2) False
7. Which of these would be considered an IP fragmentation DoS attack tool for use with
Windows 2000 and earlier hosts?
(1) Land
(2) Targa
(3) Joltz
(4) Bubonic.c
8. This DoS tool sends SYN traffic to the host, spoofing the target itself as the source.
(1) Land
(2) Targa
(3) Joltz
(4) Bubonic.c
24
9. What is the result if the computer does not have specific instructions on how to deal with a
specific input?
(1) Kernel panic
(2) Buffer overflow
(3) All of the above
10. This worm infected 90% of its targets following the first ten minutes of its launch.
(1) Slammer
(2) MyDoom
(3) Stacheldraht
(4) Melissa
END OF EXAMINATION
25
Chapter 11— Web Servers and Applications
Overview
Web applications are a distinctly difference risk because their owner wants them to be as accessible as
possible, unlike internal systems which can be more tightly controlled. This chapter discusses the different
levels of exposure: from n-tiered models to platform architecture, as well as the principles behind the most
common attacks that take place every day against these systems.
Objectives

Understand why Web Servers are compromised

Understand Web Application Hacking Methodology

Examine SQL Injection Attacks
To be successful in this lesson:




Read Chapter 11
Read Study Guide for Lesson 1147B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 279 through 283
(Answers on pages 309 & 310)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
26
Lesson 1147B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. The attack of SSLMiTM is initiated by ____.
(1) Banner grabbing
(2) Social engineering
(3) Drive by
(4) Worm
2. A directory transversal attack is only effective on Windows servers.
(1) True
(2) False
3. The weakness in the ____ Windows service is what the Sasser worm exploits.
(1) LSA
(2) SSA
(3) ISAPI
(4) All are correct
4. Which of these can be used to scan an entire website after downloading it?
(1) Black widow
(2) Wget
(3) Wayback machine
(4) All of them
5. Used for the purpose of determining the web server and operating system versions, the ____
is initiated in the discovery phase of an attack.
(1) Password guessing
(2) Banner grabbing
(3) Cookie stealing
(4) Abusing the robot.txt file
6. Allowing HTTP requests to be sent and the response to be passed directly to the scripting
object on the client’s page through the use of the XMLHTTPRequest API is done by the ____
suite of protocols.
(1) SQL
(2) XML
(3) AJAX
(4) HTTP
7. At which layer does the code get processed in the visitor’s browser when describing the
layers at which web applications work?
(1) Presentation
(2) Application
(3) Logic
(4) Database
8. This is a server-side language.
(1) CSS
(2) JavaScript
(3) HTML
(4) PERL
27
9. Which statements will be processed first when a web server is presented with a SQL script
containing statements in nested quotes?
(1) Outermost
(2) Innermost
(3) First occurrence
(4) Last occurrence
10. The most recognized server-side technology is HTML.
(1) True
(2) False
END OF EXAMINATION
28
Chapter 12— Hacking Wireless Networks
Overview
Wireless networks are cheap and easy to install. They are also a return to the days of hubs, only worse
because the signal can’t be completely controlled like bounded media can. Wireless represents an
opportunity for the attacker to access the network itself, from there all other attacks discussed in CEH are
possible and essentially the same.
Objectives

Understand Wireless Networks

Identify types of Wireless Encryption

Discuss Wireless Threats
To be successful in this lesson:




Read Chapter 12
Read Study Guide for Lesson 1148B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 283 through 286
(Answers on pages 310 & 311)
If you have the resources available to you please complete the activities at the end of the
chapter for it will benefit your learning potential. Once you have completed the exam
continue to the next lesson.
29
Lesson 1148B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. This wireless technology is the slowest of the listed types.
(1) 802.11a
(2) 802.11b
(3) 802.11g
(4) 802.11n
2. Conversely, this wireless technology is the fastest of the listed types.
(1) 802.11a
(2) 802.11b
(3) 802.11g
(4) 802.11n
3. This wireless network operates in the 5GHz band,
(1) 802.11a
(2) 802.11b
(3) 802.11g
(4) 802.11n
4. Wireless NICs can be set into promiscuous mode using universal drivers that are widely
available on the Internet.
(1) True
(2) False
5. A wireless network’s architecture is most closely related to the ____ architecture.
(1) Star-wired
(2) Baseband
(3) Ring
(4) None of these are correct
6. The network is considered ____ when a wireless network’s beacon frame does not broadcast
the beacon frame periodically.
(1) Closed
(2) Open
(3) Shared
(4) On demand
7. This type of antenna uses an array of dipole elements to more precisely control the direction
of the signal.
(1) Yeti
(2) Yoda
(3) Yagi
(4) Yogi
8. Microwaves can be disruptive to WiFi signals.
(1) True
(2) False
9. The term for a condition when a WAP has been configured to allow administrative access
from the wireless interface is ____.
(1) Warwalking
(2) Warkitting
(3) Warchalking
(4) Wardriving
30
10. Cordless telephones cannot be used to jam or disrupt WiFi signals.
(1) True
(2) False
END OF EXAMINATION
31
Chapter 13— IDS, Firewalls, and Honeypots
Overview
This chapter seems to be about defense and countermeasures at first, but since this is an attack class the
idea it really to understand them well enough to detect them, avoid them, and a confuse them. Snort and
IPTables are looked at because they are always present in Hacker’s favorite operating systems; the ones
that are free.
Objectives

Understand IDS, Firewall and Honeypot System

Learn Ways to Detect an Intrusion

Understand Evading Firewall
To be successful in this lesson:




Read Chapter 13
Read Study Guide for Lesson 1149B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 286 through 289
(Answers on pages 311 through 313)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the next chapter and the exam continue to the next lesson.
32
Chapter 14— Buffer Overflows
Overview
This chapter takes a step back to look at the principles behind one of the most dangerous and consistently
occurring vulnerabilities in software. It is one of the reasons much of the attacks explored in previous
chapters are successful. The explanation approaches the topic not with an assumption the reader has a
programming background, but from a perspective that anyone with some experience in IT can get the hang
of. This area of attack is a specialty on its own that takes years of concentrated effort to master, but
everyone needs to at least grasp the basics.
Objectives

Understand Buffer Overflows (BoF)

Understand Stack Operations

Learn how to identify Buffer Overflows
To be successful in this lesson:




Read Chapter 14
Read Study Guide for Lesson 1149B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 289 through 292
(Answers on pages 313 & 314)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, continue to the next lesson.
33
Lesson 1149B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. This identifies a technique for configuring an IDS that looks for events that are unusual based
upon its knowledge of normal traffic.
(1) Signature recognition
(2) Statistical detection
(3) Anomaly detection
(4) File integrity check
2. A firewall fingerprinting technique that uses Telnet to attempt access on any discovered port.
(1) Traceroute
(2) Firewalking
(3) Port scanning
(4) Banner grabbing
3. This choice identifies the task of configuring an IDS to look for a recognizable series of bytes
or characters in a packet.
(1) Signature recognition
(2) Statistical detection
(3) Port scanning
(4) Banner grabbing
4. A Linux command line tool that allows the attacker to fragment packets to a predetermined
size, which generates excessive traffic for an IDS to check in the hopes it will overlook
something.
(1) Packetizer
(2) Fragrouter
(3) Packet shaper
(4) Fragroute
5. A type of firewall that checks each packet one at a time, a system that is both cost effective
and very efficient.
(1) Packet filters
(2) Circuit level gateways
(3) Application level firewall
(4) Stateful inspection firewall
6. This would indicate system identification of “clean input.”
(1)
(2)
(3)
(4)
Input does not exceed memory allocation
Input meets expected criteria
Special characters are ignored
All are will indicate “clean input”
7. This indicates the last four bytes in a variable space used by programmers to detect buffer
overflow attempts.
(1) 0x90 exploit
(2) IDS signature
(3) NOP sled
(4) Canary bytes
34
8. This is the Linux command line tool for disassembling code.
(1) cgc
(2) gcc
(3) gbd
(4) gdb
9. This is the classic tool for compiling in Linux.
(1) cgc
(2) gcc
(3) gbd
(4) gdb
10. This uses Boolean logic to return differences and ignore sameness.
(1) AND
(2) OR
(3) NOT
(4) XOR
END OF EXAMINATION
35
Chapter 15— Cryptography
Overview
This chapter lays out the fundamentals of cryptography that every security professional should know. It ties
in with many other topics in this course, on both attack and defensive fronts.
Objectives

Understand Cryptography

Understand Ciphers

Identify Cryptography Tools
To be successful in this lesson:




Read Chapter 15
Read Study Guide for Lesson 1150B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 292 through 294
(Answers on pages 314 & 315)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the next chapter and the exam continue to the next lesson.
36
Chapter 16— Penetration Testing
Overview
Applying your CEH skills in a defensive manner will likely involve performing a penetration test. There
many types that can be ordered by the client depending upon need and objective. The next class in the
track, ECSA/ LPT, addresses this topic in detail. This chapter provides a preview of that course and for
those that stop at CEH this is the minimum that you should know before introducing your hacking skills
into a professional situation.
Objectives

Understand Penetration Testing (PT)

Identify Security Assessments

Identify various Penetration testing tools
To be successful in this lesson:




Read Chapter 16
Read Study Guide for Lesson 1150B
Study the Key Terms (italicized throughout the chapter)
Complete and check Practice Exam Questions on pages 294 through 297
(Answers on pages 315 & 316)
If you have the resources available to you please complete the “Try It Out” activities
throughout the chapter for it will benefit your learning potential. Once you have
completed the exam, you might want to fill out the form for your certificate and send it
in.
37
Lesson 1150B Examination
Please complete the following exam. You may use the electronic grading system for
quicker response. Simply log on to www.study-electronics.com and enter your
credentials. Once the exam has been submitted, your results will be returned within 72
hours. You may also e-mail your answers to faculty@cie-wc.edu, or fax them to us at 1216-781-0331. If you have any questions, please contact the Instruction Department.
1. This algorithm is used when the keys are related but do not reveal each other.
(1) Asymmetric
(2) Symmetric
(3) Hashing
(4) All are used
2. This does not use the PAIN model, which is considered by many to be one of the easiest ways
to summarize the most important concepts of cryptography.
(1) Privacy
(2) Accuracy
(3) Authenticity
(4) Integrity
3. This is considered to be the most powerful attack type of the ones listed.
(1) Known plain text
(2) Chosen cipher text
(3) Cipher text only
(4) Chosen plain text
4. This type means it is has a shared key and a secret key.
(1) Symmetric
(2) Asymmetric
(3) Hashing
5. This type means it is a public key.
(1) Symmetric
(2) Asymmetric
(3) Hashing
6. This type means it is a one-way key.
(1) Symmetric
(2) Asymmetric
(3) Hashing
7. This would define the immediate action, outlined in the initial documentation surrounding a
penetration test that would be taken when a risk is discovered which cannot wait until the end
of the test.
(1) Get out of jail free card
(2) Rules of engagement
(3) Project scope
(4) None of these
38
8. When designing the test from a high level view, this would provide the start and end dates of
the test along with the people involved in the initial documentation surrounding a penetration
test.
(1) Get out of jail free card
(2) Rules of engagement
(3) Project scope
(4) None of these
9. This is a valid reason to perform penetration testing.
(1) Compliance
(2) Verification of false positive
(3) Test incident responses plans
(4) All of these are reasons
10. This would be outlined in the initial documentation surrounding a penetration test as to what
would occur when a tester is caught.
(1) Get out of jail free card
(2) Rules of engagement
(3) Project scope
(4) None of these
END OF EXAMINATION