Table of Exercises
Exercise 2.1 |
Using SpyFu . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. |
. |
. |
35. . . . . . . . . . . . |
Exercise 2.2 |
Using KeywordSpy . . . . . . . . . . . . . . . . . . . . . . . . |
. . . |
. |
. |
|
. 35. . . . . . . . . . . |
Exercise 2.3 |
Using the EDGAR Database to Gather Information . . . . . . |
. . . |
. |
. |
|
. 36. . . . . . |
Exercise 2.4 |
Using Whois . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. |
. |
. |
42. . . . . . . . . . . . |
Exercise 3.1 |
Using a Windows Ping . . . . . . . . . . . . . . . . . . . . . . |
. . . |
. |
. |
|
. 69. . . . . . . . . . . |
Exercise 3.2 |
Free IPTools Port Scan . . . . . . . . . . . . . . . . . . . . . . |
. . . |
. |
. |
|
. 76. . . . . . . . . . . |
Exercise 3.3 |
Use Netcraft to Identify the OS of a Web Server . . . . . . . . |
. . |
. |
. |
. |
79. . . . . . . |
Exercise 3.4 |
Use Anonymouse to Surf Websites Anonymously . . . . . . |
. . . . . . 80. . . . . . |
||||
Exercise 4.1 |
Use Ophcrack to Crack Passwords . . . . . . . . . . . . . . . . . . . . .104. . . . . . . . . . |
|||||
Exercise 4.2 |
Hiding Files Using NTFS File Streaming . . . . . . . . . . . . |
. . . |
. |
. |
|
114. . . . . . . . . |
Exercise 4.3 |
Hiding Data in an Image Using ImageHide . . . . . . . . . . . |
. . |
. |
. |
. 116. . . . . . . . |
|
Exercise 5.1 |
Using Netcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . .133. . . . . . . . . . . . |
||||
Exercise 5.2 |
Signature Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138. . . . . . . . . . . . |
|||||
Exercise 5.3 |
Creating a Test Virus . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. . .145. . . . . . . . . . . . |
|||
Exercise 6.1 |
Use Wireshark to Sniff Traffic . . . . . . . . . . . . . . . . . . . . . . . 160. . . . . . . . . . . . |
|||||
Exercise 6.2 |
Create a Wireshark filter to capture only traffic |
|
|
|
|
|
|
to or from an IP address . . . . . . . . . . . . . . . . . . |
. . . |
. |
. |
162. . . . . . . . . . . . |
|
Exercise 7.1 |
Preventing SYN Flood Attacks on Windows 2000 Servers . . |
. . . . . 181. . . . |
||||
Exercise 8.1 |
Disabling the Default Website in Internet Information Server |
. . . . . 199. . . |
||||
Exercise 8.2 |
Using BlackWidow to Copy a Website . . . . . . . . . . . . . . . . . . .200. . . . . . . . . |
|||||
Exercise 8.3 |
Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . |
. |
. |
.201. . . . . . . . . . . . |
|
Exercise 8.4 |
Using Metasploit to Exploit a Web Server Vulnerability . . . . |
. . |
. |
. |
.203. . . . |
|
Exercise 8.5 |
Using Acunetix Web Vulnerability Scanner . . . . . . . . . . . |
. . |
. |
. |
. 211. . . . . . . . |
|
Exercise 8.6 |
Using a Password Cracker . . . . . . . . . . . . . . . . . . . . . . . . . 214. . . . . . . . . . . . |
|||||
Exercise 9.1 |
Using HP’s Scrawlr to Test for SQL Injection Vulnerabilities . . |
. . |
. |
. .227. . . |
||
Exercise 9.2 |
Performing a Buffer Overflow Attack Using Metasploit . . . . |
. . |
. |
. |
.231. . . . |
|
Exercise 10.1 |
Installing and Using a WLAN Sniffer Tool . . . . . . . . . . . . |
. . |
. |
. |
.246. . . . . . . . |
|
Exercise 10.2 |
MAC Address Spoofing . . . . . . . . . . . . . . . . . . . . . . |
. . . . .248. . . . . . . . . . . . |
||||
Exercise 11.1 |
View a Video on Lockpicking . . . . . . . . . . . . . . . . . . . . . . . . 269. . . . . . . . . . . . |
|||||
Exercise 11.2 |
Audit Your Organization’s Physical Site Security . . . . . . . . |
. . . . .269. . . . . . |
||||
Exercise 12.1 |
Configuring and Compiling the Kernel . . . . . . . . . . . . . . . . . . .285. . . . . . . . . |
|||||
Exercise 12.2 |
Using a Live CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287. . . . . . . . . . . . . |
|||||
Exercise 12.3 |
Detecting Listening Network Ports . . . . . . . . . . . . . . . . |
. . |
. |
. |
.292. . . . . . . . . . |
|
xx |
Table of Exercises |
|
|
|
Exercise 13.1 |
Installing and Using KFSensor as a Honeypot . . . . . . . |
. . . . . . |
. 310. . . . . . . |
|
Exercise 14.1 |
Viewing a Digital Certificate . . . . . . . . . . . . . . . . . |
. . . . . . |
. 331. . . . . . . . . . . . |
|
Exercise 14.2 |
Using WinMD5 to Compute File Hashes . . . . . . . . . . |
. . . . . . |
. 333. . . . . . . . . |
|
Exercise 15.1 |
Viewing a Pen Testing Framework of Tools . . . . . . . . . |
. . . . . . |
. 348. . . . . . . . |
|
Exercise 15.2 |
Viewing a Sample Pen Testing Report Framework . . . . . |
. . . . . . |
. 350. . . . . . |
|
Introduction
The Certified Ethical Hacker (CEH) exam was developed by the International Council of E-Commerce Consultants (EC-Council) to provide an industry-wide means of certifying the competency of security professionals. The CEH certification is granted to those who have attained the level of knowledge and security skills needed to perform security audits and penetration testing of systems and network.
The CEH exam is periodically updated to keep the certification applicable to the most recent hacking tools and vulnerabilities. This is necessary because a CEH must be familiar with the latest attacks and exploits. The most recent revisions to the exam as of this writing are found in version 6. The version 6 exam objectives are reflected in this book.
What Is CEH Certification?
The CEH certification was created to offer a wide-ranging certification, in the sense that it’s intended to certify competence with many different makers/vendors. This certification is designed for security officers, auditors, security professionals, site administrators, and anyone who deals with the security of the network infrastructure on a day-to-day basis.
The goal of ethical hackers is to help organizations take preemptive measures against malicious attacks by attacking systems themselves, all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief by thinking like a thief. As technology advances, organizations increasingly depend on technology and information assets have evolved into critical components of survival.
The definition of an ethical hacker is similar to a penetration tester. The ethical hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a hacker. Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it is legal.
You need to pass only a single exam to become a CEH. But obtaining this certification doesn’t mean you can provide services to a company—this is just the first step. By obtaining your CEH certification, you’ll be able to obtain more experience, build on your interest in networks, and subsequently pursue more complex and in-depth network knowledge and certifications.
For the latest exam pricing and updates to the registration procedures, call either Thomson Prometric at (866) 776-6387 or (800) 776-4276, or Pearson VUE at (877) 680-3926. You can also go to either www.2test.com or www.prometric.com (for Thomson Prometric) or www.vue.com (for Pearson VUE) for additional information or to register online. If you have further questions about the scope of the exams or related EC-Council programs, refer to the EC-Council website at www.eccouncil.org.
xxii Introduction
Who Should Buy This Book?
Certified Ethical Hacker Study Guide is designed to be a study tool for experienced security professionals seeking the information necessary to successfully pass the certification exam. The study guide can be used either in conjunction with a more complete study program, computer-based training courseware, or classroom/lab environment, or as an exam review tool for those want to brush up before taking the exam. It isn’t our goal to give away the answers, but rather to identify those topics on which you can expect to be tested.
If you want to become a CEH, this book is definitely what you need. However, if you just want to attempt to pass the exam without really understanding the basics of ethical hacking, this guide isn’t for you. It’s written for people who want to create a foundation of the skills and knowledge necessary to pass the exam, and then take what they learned and apply it to the real world.
How to Use This Book and the CD
We’ve included several testing features in the book and on the CD. These tools will help you retain vital exam content as well as prepare to sit for the actual exam:
Chapter Review Questions To test your knowledge as you progress through the book, there are review questions at the end of each chapter. As you finish each chapter, answer the review questions and then check your answers—the correct answers appear on the page following the last review question. You can go back to reread the section that deals with each question you got wrong to ensure that you answer correctly the next time you’re tested on the material.
Electronic Flashcards You’ll find flashcard questions on the CD for on-the-go review. These are short questions and answers, just like the flashcards you probably used to study in school. You can answer them on your PC or download them onto a Palm device for quick and convenient reviewing.
Test Engine The CD also contains the Sybex Test Engine. Using this custom test engine, you can identify weak areas up front and then develop a solid studying strategy using each of these robust testing features. Our thorough readme file will walk you through the quick, easy installation process.
In addition to taking the chapter review questions, you’ll find sample exams. Take these practice exams just as if you were taking the actual exam (without any reference material). When you’ve finished the first exam, move on to the next one to solidify your test-taking skills. If you get more than 90 percent of the answers correct, you’re ready to take the certification exam.
Searchable Book in PDF The CD contains the entire book in PDF (Adobe Acrobat) format so you can easily read it on any computer. If you have to travel and brush up on any key terms, and you have a laptop with a CD-ROM drive, you can do so with this resource.
Introduction xxiii
Tips for Taking the CEH Exam
Here are some general tips for taking your exam successfully:
NNBring two forms of ID with you. One must be a photo ID, such as a driver’s license. The other can be a major credit card or a passport. Both forms must include a signature.
NNArrive early at the exam center so you can relax and review your study materials, particularly tables and lists of exam-related information.
NNRead the questions carefully. Don’t be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking.
NN |
Don’t leave any unanswered questions. Unanswered questions are scored against you. |
NNThere will be questions with multiple correct responses. When there is more than one correct answer, a message at the bottom of the screen will prompt you to either “Choose two” or “Choose all that apply.” Be sure to read the messages displayed to know how many correct answers you must choose.
NNWhen answering multiple-choice questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. Doing so will improve your odds if you need to make an educated guess.
NNFor the latest pricing on the exams and updates to the registration procedures, visit EC-Council’s website at www.eccouncil.org.
The CEH Exam Objectives
At the beginning of each chapter in this book, we have included the complete listing of the CEH objectives as they appear on EC-Council’s website. These are provided for easy reference and to assure you that you are on track with the objectives.
Exam objectives are subject to change at any time without prior notice and at EC-Council’s sole discretion.. Please visit the CEH Certification page of EC-Council’s website (www.eccouncil.org/certification/certified_ ethical_hacker.aspx) for the most current listing of exam objectives..
Ethics and Legality
NN |
Understand ethical hacking terminology. |
NN |
Define the job role of an ethical hacker. |
NN |
Understand the different phases involved in ethical hacking. |
xxiv Introduction
NN |
Identify different types of hacking technologies. |
NN |
List the five stages of ethical hacking. |
|
|
NN |
What is hacktivism? |
NN |
List different types of hacker classes. |
NN |
Define the skills required to become an ethical hacker. |
|
|
NN |
What is vulnerability research? |
NN |
Describe the ways of conducting ethical hacking. |
NN |
Understand the legal implications of hacking. |
|
|
NN |
Understand 18 U.S.C. § 1030 US Federal Law. |
Footprinting
NN |
Define the term footprinting. |
|
|
NN |
Describe information-gathering methodology. |
NN |
Describe competitive intelligence. |
NN |
Understand DNS enumeration. |
|
|
NN |
Understand Whois, ARIN lookup. |
NN |
Identify different types of DNS records. |
NN |
Understand how traceroute is used in footprinting. |
|
|
NN |
Understand how email tracking works. |
NN |
Understand how web spiders work. |
Scanning
NN |
Define the terms port scanning, network scanning, and vulnerability scanning. |
NN |
Understand the CEH scanning methodology. |
NN |
Understand ping sweep techniques. |
|
|
NN |
Understand nmap command switches. |
NN |
Understand SYN, stealth, XMAS, NULL, IDLE, and FIN scans. |
NN |
List TCP communication flag types. |
|
|
NN |
Understand war dialing techniques. |
NN |
Understand banner grabbing and OF fingerprinting techniques. |
NN |
Understand how proxy servers are used in launching an attack. |
|
|
NN |
How do anonymizers work? |
NN |
Understand HTTP tunneling techniques. |
NN |
Understand IP spoofing techniques. |
|
Introduction xxv
Enumeration
NN |
What is enumeration? |
NN |
What is meant by null sessions? |
NN |
What is SNMP enumeration? |
NN |
What are the steps involved in performing enumeration? |
System Hacking
NN |
Understanding password cracking techniques. |
NN |
Understanding different types of passwords. |
NN |
Identify various password cracking tools. |
NN |
Understand escalating privileges. |
NN |
Understanding keyloggers and other spyware technologies. |
NN |
Understand how to hide files. |
NN |
Understand rootkits. |
NN |
Understand steganography technologies. |
NN |
Understand how to cover your tracks and erase evidence. |
Trojans and Backdoors |
|
NN |
What is a Trojan? |
NN |
What is meant by overt and covert channels? |
NN |
List the different types of Trojans. |
NN |
What are the indications of a Trojan attack? |
NN |
Understand how Netcat Trojan works. |
NN |
What is meant by wrapping? |
NN |
How do reverse connecting Trojans work? |
NN |
What are the countermeasure techniques in preventing Trojans? |
NN |
Understand Trojan evading techniques. |
Sniffers |
|
NN |
Understand the protocols susceptible to sniffing. |
NN |
Understand active and passive sniffing. |
NN |
Understand ARP poisoning. |
NN |
Understand ethereal capture and display filters. |
NN |
Understand MAC flooding. |
NN |
Understand DNS spoofing techniques. |
NN |
Describe sniffing countermeasures. |
xxvi Introduction
Denial of Service
NN |
Understand the types of DoS attacks. |
NN |
Understand how a DDoS attack works. |
NN |
Understand how BOTs/BOTNETs work. |
NN |
What is a Smurf attack? |
NN |
What is SYN flooding? |
NN |
Describe the DoS/DDoS countermeasures. |
Social Engineering
NN |
What is social engineering? |
NN |
What are the common types of attacks? |
NN |
Understand dumpster diving. |
NN |
Understand reverse social engineering. |
NN |
Understand insider attacks. |
NN |
Understand identity theft. |
NN |
Describe phishing attacks. |
NN |
Understand online scams. |
NN |
Understand URL obfuscation. |
NN |
Social engineering countermeasures. |
Session Hijacking
NN |
Understand spoofing vs. hijacking. |
NN |
List the types of session hijacking. |
NN |
Understand sequence prediction. |
NN |
What are the steps in performing session hijacking? |
NN |
Describe how you would prevent session hijacking. |
Hacking Web Servers
NN |
List the types of web server vulnerabilities. |
NN |
Understand the attacks against web servers. |
NN |
Understand IIS Unicode exploits. |
NN |
Understand patch management techniques. |
NN |
Understand Web Application Scanner. |
NN |
What is the Metasploit Framework? |
NN |
Describe web server hardening methods. |
Introduction xxvii
Web Application Vulnerabilities
NN |
Understand how a web application works. |
NN |
Objectives of web application hacking. |
NN |
Anatomy of an attack. |
NN |
Web application threats. |
NN |
Understand Google hacking. |
NN |
Understand web application countermeasures. |
Web-Based Password-Cracking Techniques
NN |
List the authentication types. |
NN |
What is a password cracker? |
NN |
How does a password cracker work? |
NN |
Understand password attacks—classification. |
NN |
Understand password cracking countermeasures. |
SQL Injection
NN |
What is SQL injection? |
NN |
Understand the steps to conduct SQL injection. |
NN |
Understand SQL Server vulnerabilities. |
NN |
Describe SQL injection countermeasures. |
Wireless Hacking
NN |
Overview of WEP, WPA authentication systems, and cracking techniques. |
NN |
Overview of wireless sniffers and SSID, MAC spoofing. |
NN |
Understand rogue access points. |
NN |
Understand wireless hacking techniques. |
NN |
Describe the methods in securing wireless networks. |
Virus and Worms
NN |
Understand the difference between a virus and a worm. |
NN |
Understand the types of viruses. |
NN |
How a virus spreads and infects the system. |
NN |
Understand antivirus evasion techniques. |
NN |
Understand virus detection methods. |
xxviii Introduction
Physical Security
NN |
Physical security breach incidents. |
NN |
Understand physical security. |
NN |
What is the need for physical security? |
NN |
Who is accountable for physical security? |
NN |
Factors affecting physical security. |
Linux Hacking
NN |
Understand how to compile a Linux kernel. |
NN |
Understand GCC compilation commands. |
NN |
Understand how to install LKM modules. |
NN |
Understand Linux hardening methods. |
Evading IDS, Honeypots, and Firewalls
NN |
List the types of intrusion detection systems and evasion techniques. |
NN |
List firewall and honeypot evasion techniques. |
Buffer Overflows
NN |
Overview of stack based buffer overflows. |
NN |
Identify the different types of buffer overflows and methods of detection. |
NN |
Overview of buffer overflow mutation techniques. |
Cryptography
NN |
Overview of cryptography and encryption techniques. |
NN |
Describe how public and private keys are generated. |
NN |
Overview of MD5, SHA, RC4, RC5, Blowfish algorithms. |
Penetration Testing Methodologies
NN |
Overview of penetration testing methodologies. |
NN |
List the penetration testing steps. |
NN |
Overview of the Pen-Test legal framework. |
NN |
Overview of the Pen-Test deliverables. |
NN |
List the automated penetration testing tools. |
Introduction xxix
Hardware and Software Requirements
This book contains numerous lab exercises to practice the skills of ethical hacking. In order to be able to perform all the lab exercises, you must have an extensive lab setup of many different types of operating systems and servers. The lab should have the following operating systems:
NN |
Windows 2000 Professional |
NN |
Windows 2000 Server |
NN |
Windows NT Server 4.0 |
NN |
Windows XP |
NN |
Windows Vista |
NN |
Linux (Backtrack recommended) |
The purpose of the diverse OS types is to test the hacking tools against both patched and unpatched versions of each OS. The best way to do that is to use a virtual machine setup: you do not need to have actual systems for each OS, but they can be loaded as needed to test hacking tools. At a minimum, your lab should include test systems running the following services:
NN |
FTP |
|
|
NN |
Telnet |
|
|
NN |
Web (HTTP) |
|
|
NN |
SSL (HTTPS) |
|
|
NN |
POP |
|
|
NN |
SMTP |
|
|
NN |
SNMP |
|
|
NN |
Active Directory |
Additionally, the benefit of using a virtual machine setup is that the systems can be restored without affecting the host system. By using a virtual environment, malware such as rootkits, Trojans, and viruses can be run without endangering any real production data. The tools in the book should never be used on production servers or systems because real and immediate data loss could occur.
In addition to the host system necessary to run the virtual server environment, a USB drive will be needed. This book includes lab instructions to create a bootable Linux Backtrack installation on a USB drive.
How to Contact the Publisher
Sybex welcomes feedback on all of its titles. Visit the Sybex website at www.sybex.com for book updates and additional certification information. You’ll also find forms you can use to submit comments or suggestions regarding this or any other Sybex title.