Introduction to Certified Ethical Hacker certification

Transcription

1 Cleveland Institute of Electronics Bookstore Course Introduction to Certified Ethical Hacker certification Lessons 1141B through 1150B Enroll Online For Version 7.1

2 1 Table of Contents Chat with Your Instructor... 2 Chapter 1 Ethical Hacking... 3 Chapter 2 Footprinting and Reconnaissance... 4 Lesson 1141B Examination... 5 Chapter 3 Scanning... 7 Chapter 4 Enumeration... 8 Lesson 1142B Examination... 9 Chapter 5 System Hacking Lesson 1143B Examination Chapter 6 Trojans and Backdoors Chapter 7 Viruses and Worms Lesson 1144B Examination Chapter 8 Sniffers Lesson 1145B Examination Chapter 9 Social Engineering Chapter 10 Denial of Service Lesson 1146B Examination Chapter 11 Web Servers and Applications Lesson 1147B Examination Chapter 12 Hacking Wireless Networks Lesson 1148B Examination Chapter 13 IDS, Firewalls, and Honeypots Chapter 14 Buffer Overflows Lesson 1149B Examination Chapter 15 Cryptography Chapter 16 Penetration Testing Lesson 1150B Examination... 37

3 2 Chat with Your Instructor This Study Guide will offer some suggestions about how to cover the material in the class. One of the things you should know, regardless of the class you are taking, is that the instructor can t be the sole repository of information for the class and neither can the textbook. Technology simply moves too quickly for that to be a viable option. There is a whole Internet out there. Chances are, someone, somewhere has encountered whatever problem you are having and has solved it. And chances are, someone who has solved your problem has posted the solution on the web. It might not be the exact solution, but it will get you moving toward solving the problem. Having said that, the vaguer an assignment is, the more you will learn from it. The author of the text will walk you through some possible attacks, which will help you to, at the minimum, harden your systems and inform your users. The tutorial sections sprinkled throughout the chapters are very much like this. We do not want to inhibit you in any way if possible; we want you to think what needs to be improved. Of course, there are always students who need more direction and will need to be dealt with individually. Nevertheless, this is college. Students need to explore not be led by the nose step by step. This book assumes that you have knowledge of basic computer and network terminology. It also is not going to make you a hacker, nor is it enough knowledge for a guarantee that you can sit for the exam. The one thing we want to make perfectly clear is that this course is designed to introduce, not make proficient. It uses one of the resources prepared by EC-Council for the exam, but it is not directly associated with them. It is our attempt to round your knowledge and maybe cause you to want to learn more about the topics inside. If you have a technical problem, we recommend the following: First, check the textbook that accompanies the study guide. Research some of the information at the appropriate websites (a search using the key terms may also be helpful.) Feel free to call the instruction department during business hours (8:30 AM to 6 PM Eastern time), Monday through Friday, and Saturday during the weekend hours (8:30 AM to 5 PM Eastern time). Be prepared to describe which lesson you are working on and the problem you are having. Instructional Support Addresses and Phone Numbers Main Support Help Line: (800) or (216) address: faculty@cie-wc.edu Instructional Support is available business hours (Eastern time) Monday through Saturday. Mailing address: Cleveland Institute of Electronics 1776 East 17 th Street Cleveland, OH 44114

4 3 Chapter 1 Ethical Hacking Overview The first chapter of a broad ranging information security course is always about setting the tone, and establishing the fundamentals such as vocabulary, context, and most of all, why this information is important. It also discusses some of the basic legal issues and moral dilemmas that security researchers face as they practice in this profession. Objectives Understand the issues plaguing the information security world Gain knowledge on various hacking terminologies Learn the basic elements of information security To be successful in this lesson: Read Chapter 1 Read Study Guide for Lesson 1141B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 251 through 253 (Answers on pages 298 & 299) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the next chapter and the exam continue to the next lesson.

5 4 Overview Chapter 2 Footprinting and Reconnaissance The first step of any attack is reconnaissance and information gathering. This chapter goes beyond the obvious and provides a checklist of ways to learn as much as possible about a target. Using both passive and active techniques, this is the most important step of the attack process. Objectives Understand the term Footprinting Learn the areas and information that hackers seek Gain knowledge on information gathering tools and methodology To be successful in this lesson: Read Chapter 2 Read Study Guide for Lesson 1141B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 253 through 256 (Answers on pages 299 & 300) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

6 5 Lesson 1141B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. This vulnerability test is ordered when the client wants the most realistic type of test possible. (1) Red Hat test (3) Grey Hat test (2) Black Hat test (4) White Hat test 2. When considering the types of attack listed below, which would be considered the most dangerous? (1) Malicious code attacks (3) Social Engineering attacks (2) Application level attacks (4) Network-based attacks 3. The best attacks often exploit known bugs or flaws. (1) True (2) False 4. Which term best describes students enrolled in an Ethical Hacker class? (1) Black Hat (3) White Hat (2) Grey Hat (4) None of these 5. Which of these choices would NOT be considered an attack? (1) Violating the terms of a warning banner (2) Intentionally gaining unauthorized access (3) Compromising a weak password to gain access (4) All of these are attacks 6. Which of these choices is the least important during the footprinting stage? (1) Creative Internet searches (2) Basic Internet searches (3) Determine what discoveries are important (4) Learn as much about the target as possible 7. This field increments by one each time the zone is updated. (1) Refresh Rate (3) Serial Number (2) Retry Timer (4) Expiry Timer 8. This is how long the secondary server will wait until before considering a zone to be dead. (1) Refresh Rate (3) Serial Number (2) Retry Timer (4) Expiry Timer

7 6 9. This Google hacking technique looks for potential numerical patterns within a query in order to guess at files in locations that are not indexed. (1) Find directory listings (3) Directory services (2) Incremental substitution (4) Extension renaming 10. TOE is the acronym for. (1) Trail of Evidence (3) Terms of Exchange (2) Target of Ease (4) Target of Evaluation END OF EXAMINATION

8 7 Chapter 3 Scanning Overview Once the attacker knows the outside addresses and, if possible, the inside topology, the network must be footprinted and all operating systems and services identified and verified. This is a difficult step, as defenses such as traffic filters and intrusion response systems will affect the attacker s view of the network and opportunities for attack. Technical knowledge of scanning techniques, the protocols involved and why the network looks different to an attacker than it does to an designer, engineer, or administrator are covered in this chapter. Objectives Understand the term port scanning, network scanning and vulnerability scanning Understand the objectives of scanning Understand banner grabbing using OS fingerprinting, Active Stack Fingerprinting, Passive Fingerprinting and other techniques and tools To be successful in this lesson: Read Chapter 3 Read Study Guide for Lesson 1142B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 256 through 259 (Answers on pages 300 & 301) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the next chapter and the exam continue to the next lesson.

9 8 Chapter 4 Enumeration Overview Once the attacker knows the outside addresses and, if possible, the inside topology, the network must be The attacker is getting eager to start doing some damage, but the disciplined ones know there is still some work to be done. The live hosts, access points, and roles each host has needs to be understood better. The enumeration chapter is about user accounts and logical topologies. In order to develop a real strategy, the attacker must know what is happening above Layer 4. Objectives Learn the system hacking cycle Understand Enumeration and its techniques Understand null sessions and its countermeasures To be successful in this lesson: Read Chapter 4 Read Study Guide for Lesson 1142B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 259 through 262 (Answers on pages 301 & 302) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

10 9 Lesson 1142B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. A TCP session is established when two hosts complete a handshake, but two other fields are also included in in keeping the session organized. Those two fields are and. (1) Target port number (5) Both 1 and 2 (2) Acknowledgement number (6) Both 1 and 3 (3) Synchronization number (7) Both 2 and 4 (4) Sequence number (8) Both 2 and 3 2. Using inverse scanning methods, Microsoft Windows hosts will respond with this flag when confusing traffic is received on an open port. (1) SYN (4) URG (2) ACK (5) PSH (3) FIN (6) RST 3. This message type is sent out on the internal local network segment to discover responders. (1) Maintenance (3) Sequenced (2) Broadcast (4) Ping 4. Echo requests are sent out during an ICMP scan; at the same time echo replies are anticipated. Which type and code represents an Echo reply? (1) Type 0 code 8 (3) Type 8 code 0 (2) Type 0 code 0 (4) Type 8 code 8 5. The protocol responsible for translating the logical network address into the physical address is. (1) ARP (3) MAC (2) RFC (4) ICMP 6. Using LDAP, this identifies a user object uniquely. (1) UIN (3) DUN (2) OID (4) DN 7. Which value is the most restrictive when considering the three possible values for the RestrictAnonymous key? (1) 1 (3) 3 (2) 2 (4) 0

11 10 8. Which port will be used when running SMB over TCP/IP on a PC running a Microsoft OS when NetBT is disabled? (1) 445 (3) 139 (2) 389 (4) In an attack using SNMP for enumeration, the highest level objective would be to access the. (1) NMS (3) OID (2) MIB (4) All are correct 10. Which of these could be used to administer LDAP? (1) MMC (3) Ldap.exe (2) Jxplorer (4) All could be used END OF EXAMINATION

12 11 Chapter 5 System Hacking Overview Finally, the target is well enough understood to begin the gaining access and mainlining access phases. Perhaps a privileged user account can be compromised. Maybe economic espionage is possible. The attacker may have noticed unpatched systems exist that can be attacked from commonly available exploit tools. This chapter explores these vectors in detail. Objectives Understand the different types of passwords Identify the different types of password attacks Identify password cracking techniques as well as countermeasures To be successful in this lesson: Read Chapter 3 Read Study Guide for Lesson 1143B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 262 through 265 (Answers on pages 302 & 303) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

13 12 Lesson 1143B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. Which of these identifies the practice of hiding information inside other information in a manner usually undetected by eye? (1) $Data stream (3) Encryption (2) Steganography (4) ADS 2. Rootkits provide root privileges automatically. (1) True (2) False 3. Which of these is considered a passive type of attack? (1) Password sniffing (4) Session Hijacking (2) Password guessing (5) Document shredding (3) Replay 4. An attack that substitutes predetermined characters such as S with alternates such as $ using regular expressions is known as a(n) attack. (1) Syllable (3) Rule-based (2) Brute force (4) Hybrid 5. The most effective way of exploiting the primary weakness of the hashing algorithm in passwords stored as hashes is. (1) Hash reversal (3) Collision (2) Substitution (4) None of these is effective 6. This data protection type is considered the easiest way to implement and manage. (1) Smart Cards (3) Keys (2) Passwords (4) USB keys 7. Which of these is not one of the three different types of privilege escalation? (1) Horizontal (3) De-escalation (2) Vertical (4) SIUD 8. Which of these is considered the most efficient and effective active online attack? (1) Replay (3) Password sniffing (2) Password guessing (4) Man-in-the-Middle 9. Which of these implementations uses the MD5 hashing algorithm? (1) Kerberos (3) LM (2) NTLMv2 (4) All of them use it

14 Which location would not store passwords on a Windows host? (1) Shadow file (3) Repair file (2) SAM file (4) The registry END OF EXAMINATION

15 14 Chapter 6 Trojans and Backdoors Overview If it is hard to attack the target directly, maybe the target will come to the attacker. This chapter builds on the system hacking chapter and shows how techniques can be combined together to gain and maintain access to systems. The chapter explores one of the oldest yet still very much relevant daily security concerns. Objectives Define a Trojan Identify overt and covert channels Learn windows start up monitoring tools To be successful in this lesson: Read Chapter 6 Read Study Guide for Lesson 1144B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 265 through 268 (Answers on pages 304 & 305) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the next chapter and the exam continue to the next lesson.

16 15 Chapter 7 Viruses and Worms Overview If hosts that are of value to the attacker cannot be precisely targeted, the strategy may turn to attacking as many as possible, in the shortest amount of time, to the greatest effect. If one piece of code can be written that will then do all the work for the attacker, all the better. Knowing there are others in the world that will capture your code, create a variant, and sent it back out may amplify the results. This chapter explores a category of automated, self-powered attacks. Objectives Understand the computer virus and its history Understand how does a computer get infected by viruses Understand the difference between a virus and a worm To be successful in this lesson: Read Chapter 7 Read Study Guide for Lesson 1144B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 268 through 271 (Answers on pages 305 & 306) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

17 16 Lesson 1144B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. Programs that perform operations like opening the CD tray, changing the desktop image or the screen resolution are considered this type of tool. (1) Lamer (3) Bot (2) Desktop control (4) Reverse shell 2. Which of these is not a CEH recognized category of malicious programs? (1) Viruses (3) Malware (2) Worms (4) Trojans and rootkits 3. This freeware tool is included in Windows to control and manage startup. (1) Winpatrol (3) Msconfig (2) Hijack This (4) Autoruns 4. A program that appears to perform desirable and necessary functions but performs other functions that are not known or needed are known as. (1) Rootkit (3) Backdoor (2) Malicious software (4) Trojan 5. Installs an illicit server on the victim and then accesses from a client. (1) Remote Access Trojan (3) Data Sending Trojan (2) Denial of Service Trojan (4) FTP Trojan 6. A type of social engineering attack that is designed to waste the time of victims and consume network bandwidth when these users news of the threat is called a. (1) Network virus (3) Hoax (2) Stealth virus (4) MBR virus 7. This statement represents a worm more than a virus. (1) Difficult to remove without damaging the system (2) Executes itself and can include its own spreader (3) Requires a user initiated event to spread and needs a carrier (4) Typically effects executable files; can hide in media files 8. This was the first working virus found in the wild. (1) Elk Clone (3) Creeper (2) Reaper (4) Wabbit

18 17 9. The hides from the antivirus software and copies itself to a temporary location, leaving infected files to be clean when scanned. (1) Network virus (3) Hoax (2) Stealth virus (4) MBR virus 10. The overwrites the instructions at the disk location Cylinder 0, Head 0, Sector 1 and then copies itself into RAM and onto other disks. (1) Network virus (3) Hoax (2) Stealth virus (4) MBR virus END OF EXAMINATION

19 18 Chapter 8 Sniffers Overview Observing traffic is a piece of the puzzle between all of the techniques explored so far. It can be used for information gathering, compromising sensitive data, or as a step in a sophisticated control technique. On the defensive side, sniffing is a powerful troubleshooting, analysis, and testing technique. This chapter shows how to make the rest of the information in this course observable to the most detailed level. It shows how the importance of understanding the higher-level concepts such as protocols and the expected events of a technique can lead the way to both more efficient attacks and more efficient countermeasures. Objectives Understand sniffing and protocols vulnerable to it Understand Address Resolution Protocol (ARP) Understand what is Session Hijacking Spoofing vs. Hijacking To be successful in this lesson: Read Chapter 8 Read Study Guide for Lesson 1145B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 271 through 273 (Answers on pages 306 & 307) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

20 19 Lesson 1145B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. A promiscuous mode driver tells the NIC to ignore this much of the first bits of the Layer 2 frame header. (1) 12 (3) 48 (2) 24 (4) Which of these is considered a passive sniffing technique? (1) Mac duplicating (3) Arp poisoning (2) MAC flooding (4) None of these 3. Protocol tracers are also called. (1) Sniffers (3) Sharks (2) Tracers (4) Filters 4. The technique that uses gratuitous ARP to distribute spoofed information is. (1) Mac duplicating (3) Arp poisoning (2) MAC flooding (4) None of these 5. Using the information a switch stores regarding network connectivity, it is possible to send sufficient traffic to force the switch into fail safe or hub mode. The name of this process is. (1) Mac duplicating (3) Arp poisoning (2) MAC flooding (4) None of these 6. This is a security method that tests the ability of the human eye to interpret an image of a deliberately distorted word. (1) Captchas (3) Gotchas (2) Backatchas (4) Fuzzies 7. Which of these is not one of the three server supported authentication methods? (1) Application (3) Disk (2) Basic (4) Volume 8. This protocol implementation supports state. (1) HTTP1.0 (3) HTTP2.0 (2) HTTP1.1 (4) All support state

21 20 9. Protection imposed by an application can be circumvented by modifying either the source code or the URL for the page and then reloading or resubmitting it. (1) True (2) False 10. The attack called was originally known as CSS. (1) CSX (3) CXS (2) CMS (4) XSS END OF EXAMINATION

22 21 Chapter 9 Social Engineering Overview The greatest weakness of any network will be the human element and the most cost effective countermeasure is training. This chapter shows how humans can be deceived, misinformed or led to bad judgment. They can also simply be taken advantage of even if they are not doing anything wrong. Without proper and continuous training, awareness fades quickly and attackers can sense this over time and be attracted to these vulnerable targets. Objectives Understand Social Engineering Identify the different types of social engineering Gain insights on Social Engineering threats and defense To be successful in this lesson: Read Chapter 9 Read Study Guide for Lesson 1146B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 273 through 276 (Answers on pages 307 & 308) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the next chapter and the exam continue to the next lesson.

23 22 Chapter 10 Denial of Service Overview Sometimes the objective of an attack is to embarrass the target. Reputation is perhaps the most valuable asset to any organization. Since non- techies don t understand the concept of DoS or DDoS attacks, it is easy to create a sense that a network is not trustworthy simply by making its services inaccessible. There are other reasons for these attacks as well; it might be as simple as an attacker or virus author testing out or proving a theory. This chapter looks at how Denial of Service attacks are set up and how botnets that were possibly setup by worm droppings or socially engineered installations of malware can coordinate in a large scale event. Objectives Understand a Denial of Service Attack Gain insights on Distributed Denial of Service Attacks Assess DoS/DDoS Attack Tools To be successful in this lesson: Read Chapter 10 Read Study Guide for Lesson 1146B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 276 through 279 (Answers on pages 308 & 309) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

24 23 Lesson 1146B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. This type of attack accounts for close to 70% of the socially engineered attack, according to some surveys. (1) Social proof (3) Inside jobs (2) Reverse social engineering (4) None of these 2. This is considered to be the most difficult attack type to execute. (1) Social proof (3) Inside jobs (2) Reverse social engineering (4) None of these 3. The act of gaining sensitive information on a particular company by sifting through the trash is called. (1) Dumpster diving (3) Rectangular research (2) Trash tossing (4) All of these are used 4. This is widely considered the weakest link in network security. (1) WAPs (3) Honeypots (2) Media files (4) Users 5. Which of these would be considered social engineering of physical controls? (1) Piggybacking (3) Tailgating (2) Shoulder surfing (4) All of them 6. A DDoS attack is limited to three levels of hierarchical control. (1) True (2) False 7. Which of these would be considered an IP fragmentation DoS attack tool for use with Windows 2000 and earlier hosts? (1) Land (3) Joltz (2) Targa (4) Bubonic.c 8. This DoS tool sends SYN traffic to the host, spoofing the target itself as the source. (1) Land (3) Joltz (2) Targa (4) Bubonic.c

25 24 9. What is the result if the computer does not have specific instructions on how to deal with a specific input? (1) Kernel panic (2) Buffer overflow (3) All of the above 10. This worm infected 90% of its targets following the first ten minutes of its launch. (1) Slammer (3) Stacheldraht (2) MyDoom (4) Melissa END OF EXAMINATION

26 25 Overview Chapter 11 Web Servers and Applications Web applications are a distinctly difference risk because their owner wants them to be as accessible as possible, unlike internal systems which can be more tightly controlled. This chapter discusses the different levels of exposure: from n-tiered models to platform architecture, as well as the principles behind the most common attacks that take place every day against these systems. Objectives Understand why Web Servers are compromised Understand Web Application Hacking Methodology Examine SQL Injection Attacks To be successful in this lesson: Read Chapter 11 Read Study Guide for Lesson 1147B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 279 through 283 (Answers on pages 309 & 310) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

27 26 Lesson 1147B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. The attack of SSLMiTM is initiated by. (1) Banner grabbing (3) Drive by (2) Social engineering (4) Worm 2. A directory transversal attack is only effective on Windows servers. (1) True (2) False 3. The weakness in the Windows service is what the Sasser worm exploits. (1) LSA (3) ISAPI (2) SSA (4) All are correct 4. Which of these can be used to scan an entire website after downloading it? (1) Black widow (3) Wayback machine (2) Wget (4) All of them 5. Used for the purpose of determining the web server and operating system versions, the is initiated in the discovery phase of an attack. (1) Password guessing (3) Cookie stealing (2) Banner grabbing (4) Abusing the robot.txt file 6. Allowing HTTP requests to be sent and the response to be passed directly to the scripting object on the client s page through the use of the XMLHTTPRequest API is done by the suite of protocols. (1) SQL (3) AJAX (2) XML (4) HTTP 7. At which layer does the code get processed in the visitor s browser when describing the layers at which web applications work? (1) Presentation (3) Logic (2) Application (4) Database 8. This is a server-side language. (1) CSS (3) HTML (2) JavaScript (4) PERL

28 27 9. Which statements will be processed first when a web server is presented with a SQL script containing statements in nested quotes? (1) Outermost (3) First occurrence (2) Innermost (4) Last occurrence 10. The most recognized server-side technology is HTML. (1) True (2) False END OF EXAMINATION

29 28 Chapter 12 Hacking Wireless Networks Overview Wireless networks are cheap and easy to install. They are also a return to the days of hubs, only worse because the signal can t be completely controlled like bounded media can. Wireless represents an opportunity for the attacker to access the network itself, from there all other attacks discussed in CEH are possible and essentially the same. Objectives Understand Wireless Networks Identify types of Wireless Encryption Discuss Wireless Threats To be successful in this lesson: Read Chapter 12 Read Study Guide for Lesson 1148B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 283 through 286 (Answers on pages 310 & 311) If you have the resources available to you please complete the activities at the end of the chapter for it will benefit your learning potential. Once you have completed the exam continue to the next lesson.

30 29 Lesson 1148B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. This wireless technology is the slowest of the listed types. (1) a (3) g (2) b (4) n 2. Conversely, this wireless technology is the fastest of the listed types. (1) a (3) g (2) b (4) n 3. This wireless network operates in the 5GHz band, (1) a (3) g (2) b (4) n 4. Wireless NICs can be set into promiscuous mode using universal drivers that are widely available on the Internet. (1) True (2) False 5. A wireless network s architecture is most closely related to the architecture. (1) Star-wired (3) Ring (2) Baseband (4) None of these are correct 6. The network is considered when a wireless network s beacon frame does not broadcast the beacon frame periodically. (1) Closed (3) Shared (2) Open (4) On demand 7. This type of antenna uses an array of dipole elements to more precisely control the direction of the signal. (1) Yeti (3) Yagi (2) Yoda (4) Yogi 8. Microwaves can be disruptive to WiFi signals. (1) True (2) False 9. The term for a condition when a WAP has been configured to allow administrative access from the wireless interface is. (1) Warwalking (3) Warchalking (2) Warkitting (4) Wardriving

31 Cordless telephones cannot be used to jam or disrupt WiFi signals. (1) True (2) False END OF EXAMINATION

32 31 Chapter 13 IDS, Firewalls, and Honeypots Overview This chapter seems to be about defense and countermeasures at first, but since this is an attack class the idea it really to understand them well enough to detect them, avoid them, and a confuse them. Snort and IPTables are looked at because they are always present in Hacker s favorite operating systems; the ones that are free. Objectives Understand IDS, Firewall and Honeypot System Learn Ways to Detect an Intrusion Understand Evading Firewall To be successful in this lesson: Read Chapter 13 Read Study Guide for Lesson 1149B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 286 through 289 (Answers on pages 311 through 313) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the next chapter and the exam continue to the next lesson.

33 32 Chapter 14 Buffer Overflows Overview This chapter takes a step back to look at the principles behind one of the most dangerous and consistently occurring vulnerabilities in software. It is one of the reasons much of the attacks explored in previous chapters are successful. The explanation approaches the topic not with an assumption the reader has a programming background, but from a perspective that anyone with some experience in IT can get the hang of. This area of attack is a specialty on its own that takes years of concentrated effort to master, but everyone needs to at least grasp the basics. Objectives Understand Buffer Overflows (BoF) Understand Stack Operations Learn how to identify Buffer Overflows To be successful in this lesson: Read Chapter 14 Read Study Guide for Lesson 1149B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 289 through 292 (Answers on pages 313 & 314) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, continue to the next lesson.

34 33 Lesson 1149B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. This identifies a technique for configuring an IDS that looks for events that are unusual based upon its knowledge of normal traffic. (1) Signature recognition (3) Anomaly detection (2) Statistical detection (4) File integrity check 2. A firewall fingerprinting technique that uses Telnet to attempt access on any discovered port. (1) Traceroute (3) Port scanning (2) Firewalking (4) Banner grabbing 3. This choice identifies the task of configuring an IDS to look for a recognizable series of bytes or characters in a packet. (1) Signature recognition (3) Port scanning (2) Statistical detection (4) Banner grabbing 4. A Linux command line tool that allows the attacker to fragment packets to a predetermined size, which generates excessive traffic for an IDS to check in the hopes it will overlook something. (1) Packetizer (3) Packet shaper (2) Fragrouter (4) Fragroute 5. A type of firewall that checks each packet one at a time, a system that is both cost effective and very efficient. (1) Packet filters (3) Application level firewall (2) Circuit level gateways (4) Stateful inspection firewall 6. This would indicate system identification of clean input. (1) Input does not exceed memory allocation (2) Input meets expected criteria (3) Special characters are ignored (4) All are will indicate clean input 7. This indicates the last four bytes in a variable space used by programmers to detect buffer overflow attempts. (1) 0x90 exploit (3) NOP sled (2) IDS signature (4) Canary bytes

35 34 8. This is the Linux command line tool for disassembling code. (1) cgc (3) gbd (2) gcc (4) gdb 9. This is the classic tool for compiling in Linux. (1) cgc (3) gbd (2) gcc (4) gdb 10. This uses Boolean logic to return differences and ignore sameness. (1) AND (3) NOT (2) OR (4) XOR END OF EXAMINATION

36 35 Chapter 15 Cryptography Overview This chapter lays out the fundamentals of cryptography that every security professional should know. It ties in with many other topics in this course, on both attack and defensive fronts. Objectives Understand Cryptography Understand Ciphers Identify Cryptography Tools To be successful in this lesson: Read Chapter 15 Read Study Guide for Lesson 1150B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 292 through 294 (Answers on pages 314 & 315) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the next chapter and the exam continue to the next lesson.

37 36 Chapter 16 Penetration Testing Overview Applying your CEH skills in a defensive manner will likely involve performing a penetration test. There many types that can be ordered by the client depending upon need and objective. The next class in the track, ECSA/ LPT, addresses this topic in detail. This chapter provides a preview of that course and for those that stop at CEH this is the minimum that you should know before introducing your hacking skills into a professional situation. Objectives Understand Penetration Testing (PT) Identify Security Assessments Identify various Penetration testing tools To be successful in this lesson: Read Chapter 16 Read Study Guide for Lesson 1150B Study the Key Terms (italicized throughout the chapter) Complete and check Practice Exam Questions on pages 294 through 297 (Answers on pages 315 & 316) If you have the resources available to you please complete the Try It Out activities throughout the chapter for it will benefit your learning potential. Once you have completed the exam, you might want to fill out the form for your certificate and send it in.

38 37 Lesson 1150B Examination Please complete the following exam. You may use the electronic grading system for quicker response. Simply log on to and enter your credentials. Once the exam has been submitted, your results will be returned within 72 hours. You may also your answers to or fax them to us at If you have any questions, please contact the Instruction Department. 1. This algorithm is used when the keys are related but do not reveal each other. (1) Asymmetric (3) Hashing (2) Symmetric (4) All are used 2. This does not use the PAIN model, which is considered by many to be one of the easiest ways to summarize the most important concepts of cryptography. (1) Privacy (3) Authenticity (2) Accuracy (4) Integrity 3. This is considered to be the most powerful attack type of the ones listed. (1) Known plain text (3) Cipher text only (2) Chosen cipher text (4) Chosen plain text 4. This type means it is has a shared key and a secret key. (1) Symmetric (2) Asymmetric (3) Hashing 5. This type means it is a public key. (1) Symmetric (2) Asymmetric (3) Hashing 6. This type means it is a one-way key. (1) Symmetric (2) Asymmetric (3) Hashing 7. This would define the immediate action, outlined in the initial documentation surrounding a penetration test that would be taken when a risk is discovered which cannot wait until the end of the test. (1) Get out of jail free card (3) Project scope (2) Rules of engagement (4) None of these

39 38 8. When designing the test from a high level view, this would provide the start and end dates of the test along with the people involved in the initial documentation surrounding a penetration test. (1) Get out of jail free card (3) Project scope (2) Rules of engagement (4) None of these 9. This is a valid reason to perform penetration testing. (1) Compliance (3) Test incident responses plans (2) Verification of false positive (4) All of these are reasons 10. This would be outlined in the initial documentation surrounding a penetration test as to what would occur when a tester is caught. (1) Get out of jail free card (3) Project scope (2) Rules of engagement (4) None of these END OF EXAMINATION