CEH - FINAL Prep

Sparse infector Virus

Conditional virus that only execute if certain conditions are met, often to avoid detection by antivirus.

Shellshock aka Bashdoor

Exploits a vulnerability in Bash <= 4.3 by enabling sending trailing info in an environmental variable allowing execution on the remote host.

LM Password < 8 Characters: AAD3B435B51404EE LM Empty Password: AAD3B435B51404EEAAD3B435B51404EE

If an Lan Manger (LM) password is less than 7 characters, what will the LM Hash end with? If the LM password is EMPTY what will the exact hash be?

ProxyChains # proxychains nmap -A victim-IP

Linux command line tool that enables pen testers to mask their identity and/or source IP by sending messages through proxy servers.

nmap -sS host

Which NMAP command performs a stealth (SYN) scan?

nmap -sU [port] [host]

Which NMAP scan initiates a UDP scan

nmap -A

Which nmap command provides the following: - aggressive scanning -- OS fingerprinting -- version detection -- script scanning -- traceroute

(Computer Security Incident Response Team) CSIRT

Who should you report a computer security incident to?

NIST SP 800-53

NIST regulation defining security and privacy controls for Federal Information systems and organizations

OWASP Top 10 Mobile Threats

OWASP Top 10 Mobile Threats 1) Improper Platform Usage 2) Insecure Data Storage 3) Insecure Communications 4) Insecure Authentication 5) Insufficient Cryptography 6) Insecure Auth 7) Client Code Quality 8) Code Tampering 9) Revere Engineering 10) Extraneous Functionality

OWASP Top 10 Web App Security Risks

OWASP Top 10 Web App Security Risks 1) Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML External Entities (XXE) 5) Broken Access Control 6) Security Misconfiguration 7) Cross-Site Scripting (XSS) 8) Insecure Deserialization 9) Using Components with Known Vulnerabilities 10) Insufficient Logging and Monitoring

Retinal Scan - Blood Vessels, invasive, not common Iris Scan - front of eye, less invasive , common

Ocular-based (eye) Biometric ID scans: ________- scans blood vessels in back of the eye. Invasive but accurate _______ - uses camera & scans iris (front of eye) less invasive, most common

Common Vulnerability Scoring System (CVSS) Scores

Open standard for assessing severity of system security vulnerabilities. Assigns severity scores to vulnerabilities (CVE).

Cain & Abel

Password cracking tool (Windows) that can crack wide variety of passwords AS WELL AS perform the following commands: - Record VoIP - Capture RDP traffic - Poison ARP - start/stop windows services - launch shell on remote - extract SIDs - remotely modify win registry - collect certificates for MITM - calculate RSA SecureID tokens - Detect WLANS 802.11 - reveal passwords in txt boxes - Enumerate network devices

LANMAN (LM hash)

Passwords are converted to Uppercase and truncated or padded to become 14 characters long. Hash is divided into two 7-byte parts, each used as a 56-bit DES key to encrypt the fixed string. Hash is unsalted and susceptible to dictionary and rainbow table attacks

Libwhisker

Perl module supporting IDS evasion like session splicing. Some web vuln scanners like Nikto rely on this for session splicing functionality.

- LDAP Injection <-- " )(&)" - SQL Injection <-- " ' " (single quote) - CSPP Injection <-- " ; " (semicolon - SOAP Injection <-- (similar to SQL)

What characters are typically used when attempting the following types of "Injection" attacks? - LDAP Injection - SQL Injection - CSPP Injection (Connection Stream Parameter Pollution) - SOAP Injection

psexec -s cmd.exe <- windows sysinternals

What command allows you to run commands on Windows as a "system" user (and also has many other functions)?

hping -0 -- rawip hping -1 -- icmp hping -2 -- udp hping -8 -- scan hping -9 --listen

What do each of the follwing hping commands do: hping -0 hping -1 hping -2 hping -8 hping -9

Windows LM password Hash Tools / Crackers

What do the following utilities perform - Cain & Abel - THC-Hydra - network login cracker - John the Ripper - Medusa - Ophcrack - L0phtCrack - Hashcat - Netbios Auditing Tool (NAT)

Common Vulnerabilities and Exposures (CVE) cve.mitre.org ex. CVE-2019-2855

What does CVE stand for? What is the website?

netstat -tanp <- displays all TCP connections, in numeric, and program running on the port: "t" - TCP connections, "a" - ALL, "n" - NUMERIC (dont resolve) p" - PROGRAM RUNNING

What does the following Linux netstat switches display? netstat -tanp

netstat -an <-- displays all connections & listening ports netstat -an | find "443" <-- "greps" 443 from output netstat -an | find "443" && netstat -anb | find "*.exe" (also runs "netstat -anb" (-b displays executable involved) and "greps for *.exe

What does the following WINDOWS command display? netstat -an | find "443" && netstat -anb | find ".exe"

searchsploit

What is Exploit-db.com and what is a command line tool to use it in linux

Armitage

What is a GUI front-end for Metasploit?

c:\System Volume Information Only "system" accounts can access this folder. Even administrators can not access it easily.

What is a good Windows directory to hide malware in? Why?

Internet Services Application Programming Interface (ISAPI) -- notoriously insecure and can expose webserver to threats

What is an ISAPI and why should it be removed from webservers?

CryptCat

What is the encrypted version NetCat (NC)

OSI Layer 3 (Network)

What layer of the OSI model do packet filtering firewalls typically operate? Packet filtering firewalls examine incoming and outgoing packets (IP) and compare to ACL.

Reconnaissance Stage 4 Main Focuses / Benefits of Footprinting 1) Know the security posture 2) Reduce the focus area (network range/ targets) 3) Identify Vulnerabilities 4) Draw a Network Map

What stage does footprinting occur? What are the 4 main focuses and benefits of footprinting?

auditpol.exe

advanced audit policy configuration tool for windows

Slowloris

keeps as many connections to the web server open and holds them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request

Heartbleed Bug

vulnerability in OpenSSL cryptographic software library allowing 64KB of web server's memory to be read at regular intervals. weakness allows stealing of protected info(ie server's private key) or man-in-the-middle attacks agains the server

Rena

vunerability scanner like Nessus and indicated in the CEH exam blueprint. very limited information online about it.

PCAP Packet Capture Library LIbpcap - Unix WinPcap - Windows AirPcap - Wireless

what packet capture libraries do the following utilities use: - kismet - L0phtCrack - Nmap / Ngrep - tcpdump/Wireshark - Snort

net view /domain

(windows) net view command to enumerate all workgroups and domains

net view /domain:XYZ

(windows) net view command to enumerate machines in the domain XYZ

net view /domain:workgroup

(windows) net view command to enumerate machines in workgroup WORKGROUP

net view

(windows) net view command to enumerate machines within the same workgroup

IKE-scan

IPSec VPN scanning, fingerprinting and testing tool

telnet websvr 80 HEAD / HTTP/1.0

Banner Grab of Web server running on port 80

Circuit Level Firewalls

_________ firewalls operate primarily at the Session Layer (OSI Layer 5).

webserver examination and testing tools

Black Widow Nikto

Bluebugging Attack Blooover - tool for performing this attack

Bluetooth attack that creates back door allowing attacker to listen to conversations, forward calls, and send text. What too is used to perform this type of attack?

RC4

Broken Algorithm used to encrypt WEP wifi traffic (not secure)

Fraggle Attack

UDP based DoS attack using UDP echo requests with forged source address (victims). Victim is overwhelmed with replies from network clients responding to the UDP broadcasts

WannaCry Ransomware

.Ransomware that used the EternalBlue (smb) exploit to spread worldwide on May 12, 2017

5 Phases of Hacking (CEH Methodology) RSG-MC)

1. Reconnaissance 2. Scanning 3. Gaining access 4. Maintaining access 5. Covering tracks

1) Legislative - (SOX, HIPAA) 2) Contractual - requirements enforced by industry or group (PCI DSS) 3) Standards Based - ITIL, ISO, Maintained by: Institute for Security & Open Methodologies (ISECOM)

3 Types of Compliance: Open Source Security Testing Methodology Manual (OSSTMM) Testing Methodology Manual that defines 3 Types of COMPLIANCE: 1) _______________ - (SOX, HIPAA) 2) _______________ - requirements enforced by industry or group (PCI DSS) 3) _________________ - ITIL, ISO,

NIST SP 800-30 1) Purpose, Scope & Source Identification 2) Threat Identification 3) Vulnerability Identification 4) Likelihood Determination 5) Impact Analysis 6) Risk Determination 7) Communication & Sharing Risk Assesment Information 8) Maintain the Risk Assment

8 Steps in conducting a risk assessment according to: NIST SP 800-30

VAWTRAK Attack

Attack where attacker sends email with malware disguised as package delivery notification. Typically targets stealing BANKING information. Banking Trojan

Clickjacking Attack

Attack where attacker wraps trusted webpage in IFrame and places transparent images over legitimate links that link to malicious content or site. Also called UI redress attack

Cross-Site Request Forgery (XSRF) / (CSRF)

Attacker takes advantage of trust established between authorized website user and website itself. Allows attacker to change quantities in shopping cart for example. Attack exploits trust in user's unexpired cookies (could be the user clicked "Remember Me" on the website ). This attack exploits that saved authentication cookie.

smurf attack

DDOS attack - ICMP packets broadcast to network using victims source IP address (spoofed) & broadcast to network (broadcast IP). Network devices respond and overwhelm victim. Mitigation: 1) Configure hosts and routers to not respond to ICMP requests or broadcasts; OR 2) Configure routers to not forward packets directed to broadcast addresses.

DHCP Server / Client Exchange

DHCPDiscover (client) DHCPOffer (srvr) DHCPRequest (client) DHCPAck (srvr)

Bluesmack Attack

DOS Bluetooth attack similar to Ping of Death. Relies on oversized LLC and L2CAP ping messages, crashing device.

tear-drop attack

DOS attack involving sending mangled IP fragments with overlapping, oversized payloads to the target machine. Crashes various OS due to a bug in their TCP/IP fragmentation re-assembly code

packETH

GUI based (Linux) Ethernet tool for generating TCP/IP packets.

psexec.exe \\victimIP c:\attacker.exe

How would you execute a local command on a remote host?

ICMP Type 3 (unreachable) Codes: - Type 3, Code 0 = dest Net unreachable - Type 3, Code 1 = dest Host unreachable - Type 3, Code 2 = Protocol Unreachable - Type 3, Code 3 = Port Unreachable -Type 3, Code 13 = traffic FILTERED by firewall

ICMP Type 3 (unreachable) Codes: - Type 3, Code 0 = - Type 3, Code 1 = - Type 3, Code 2 = - Type 3, Code 3 = - Type 3, Code 13 =

ICMP Types: Type 0 = Echo Reply Type 3 = Dest Unreachable Type 8 = EchoRequest

ICMP Types: Type 0 = Type 3 = Type 8 =

unicast - 1 to 1 (ie HTTP) broadcast - 1 to all (ie ARP) multicast - 1 to all registered (ie IGMP, SLP) Anycast - Many to few (ie 6to4)

Unicast - Broadcast - Multicast - Anycast -

Nmap - OPEN port

Port Scan w/Nmap: _________ port indicates application actively accepting connections. Finding these is often the primary goal of port scanning

Nmap - CLOSED | FILTERED

Port Scan w/Nmap: __________ port - Nmap is unable to determine whether a port is closed or filtered. Only used for the IP ID idle scan

Nmap - OPEN | FILTERED

Port Scan w/Nmap: __________ port - Nmap places ports in this state when it is unable to determine if port is open or filtered. Occurs for scan types where open ports give no response. Lack of response may indicated a packet filter dropped the probe or response elicited. UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Nmap - UNFILTERED port

Port Scan w/Nmap: __________ port - port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

Nmap - CLOSED port

Port Scan w/Nmap: __________ port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection

Nmap - FILTERED port

Port Scan w/Nmap: ___________ port - Nmap cannot determine whether the port is open because probes are prevented from reaching the port. This could be from a dedicated firewall device, router rules, or host-based firewall software. This port state frustrate attackers because they provide so little information

mkdir /media/sda1 mount /dev/sda1 /media/sda1 chroot /media/sda1 passwd asdlfkjasldf

Process to reset linux password from Live boot

RSA vs AES Encryption

RSA - (asymmetric) AES - (symmetric) RSA may be used to exchange AES keys securely, then AES to encrypt the actual messages

SID ending in 500 = Admin SID ending in 501 = guest SID ending in 1000 ( or higher) = standard user

SID's ending in 500 indicate what? SID's ending in 501 indicate what? SID's ending in in 1000 (or higher)?

Bettercap

Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks. portable framework written in Go for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. Earlier versions (1.x) were implemented in Ruby and only offered MITM, sniffing and proxying capabilities,

Firewalk - TTL Expired in Transit = OPEN | UNFILTERED - Destination (any) Unreachable = FILTERED - No response = FILTERED

Tool (combo of traceroute and port scan) used to determine what ports are filtered by a gateway firewall. by manipulating TTL's. TTL's are configured to expire 1 hop after the firewall. What does it mean If the tool receives: - TTL Expired in Transit = -Destination (any) Unreachable = - No Response =

mimikatz

Tool dumps stored Windows login hashes and provides corresponding password that matched hash in plain text. Linux tool written in French

CloudInspect

Tool that offer's penetration as a service for AWS EC2 Users

CloudPassage Halo

Tool that provides visibility and security controls for servers in public clouds, private clouds and datacenters,

Windows Credential Editor (WCE) Mimikatz

Two tools that allow Windows users to dump passwords in plain text: - -

Polymorphic Virus

Type of Virus that mutates itself and changes its signature to avoid detection by antivirus software

Cavity Virus

Virus that overwrites portions of a file that are not being used and therefore does not increase the filesize when the file is infected.

PSK (Phase Shift Keying) 4-DQPSK - 2Mbps 8-DPSK - 3Mbps

What 2 types of Bluetooth2.0 Enhanced Data Rate (EDR) phase-shift keying (PSK) modulation does Bluetooth support?

ifconfig -a <-- shows all NIC interfaces even if they are down ifconfig <-- shows NIC interfaces currently up

What Linux "ifconfig" command displays ALL network interfaces even if they are currently down? Which "ifconfig" command displays interfaces that are up?

NIST SP 500-292 "Cloud Computing Reference Architecture" 5 Roles: - cloud Provider - cloud Broker - cloud Auditor - cloud Consumer - cloud Carrier

What are the 5 roles defined by NIST's "Cloud Computing Reference Architecture" NIST SP 500-292 (PBACC)

OSSTMM Interactive Controls (Class A) 1) Authentication 2) Indemnification -contractual protection 3) Resilience - protection of corruption/failure 4) Subjugation - ensures interactions occur according to processes 5) Continuity

What are the 5 types of OSSTMM Interactive controls? (Class A) (AIRSC) Open Source Security Testing Methodology Manual

1) Non-repudiation 2) Confidentiality 3) Privacy 4) Integrity 5) Alarm - notifies participants

What are the 5 types of OSSTMM PROCESS Controls? (Class B) (NCPIA) Open Source Security Testing Methodology Manual

Passive OS fingerprinting: - Time-to-Live (TTL) fields - TCP Windows Sizes - Don't Fragment (DF) Flags - Type of Service (ToS) Fields

What attributes (4) are commonly used during passive OS fingerprinting?

Vulnerability Risk = Threat * Vulnerability

_____ is a RISK equation component described as the likelyhood of a THREAT being successful

Threat Risk = Threat * Vulnerability

_____ is a RISK equation component described as the rate or frequency of a potential negative impact.

Federal Information Technology Acquisition Reform Act FITARA

________Act made changes to the ways the U.S. federal government buys and manages computer technology. U.S. federal government spends over $80 billion a year on IT products and services.[3] Almost half of this goes to maintaining old and out-of-date systems

Local Area Network Denial Attack (LAND Attack)

attack - sends spoofed TCP SYN packet with victim's IP to pen port as BOTH source and destination. Machine replies to itself continuously. Vuln also found in SNMP and (kerberos/global services).

Pharming attack?

cyber attack intended to redirect a website's traffic to another, fake site. Can be from a DNS Cache poisoning or host's file attack

crosssite scripting (XSS)

enables attackers to inject client-side scripts into web pages viewed by other users. malicious content sent to browser often takes the form of JavaScript, but may also include HTML, Flash, or any other browser executable code. Mitigation: -setting HttpOnly Flag in cookies -input validation (server side)

nmap -sA IP <- TCP ACK scan (not to be confused with: nmap -A IP <-aggressive scan

nmap command that performs a TCP ACK scan

nmap -sC nmap --script filename

nmap command to perform a script scan using default scripts nmap command to run specific script

nmap -sV [IP] -p [port]

nmap command to probe open ports to determine the service/Version info

ls -d -lists ALL DNS records ls - a -lists host aliases ls -h -lists CPU & OS ls -s -know services of host set type=ns (query DNS) (commands above initiates zone transfer if DNS svr not secured) (DNS zone transfers are typically disabled on DNS servers these days)

nslookup interactive commands: ls -d ls -a ls -h ls -s set type=ns

- KerbCrack

program consisting of 2 programs: sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a brute force attack or a dictionary attack

Internet Group Management Protocol (IGMP)

protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. Integral part of IP multicast. Operates on Layer 3 (network)

Service-oriented architecture (SOA)

software design (API) where services are provided to other components by application specific components, typically over a network. vendor neutral