Remove Watermark Wondershare
PDFelement
Certified Ethical Hacker (CEH) Exam Cheat Sheet
Basics
5 phases to a penetration test
Reconnaissance
Scanning & Enumeration
Gaining Access
Maintaining Access
Covering Tracks
Attack Types

OS: Attacks targeting default OS settings
App level: Application code attacks
Shrink Wrap: off-the-shelf scripts and code
Misconfiguration: not configured well
Legal
18 U.S.C 1029 & 1030
RFC 1918 - Private IP Standard
RFC 3227 - Collecting and storing data
ISO 27002 - InfoSec Guidelines
CAN-SPAM - email marketing
SPY-Act - License Enforcement
DMCA - Intellectual Property
SOX - Corporate Finance Processes
GLBA - Personal Finance Data
FERPA - Education Records
FISMA - Gov Networks Security Std
CVSS - Common Vuln Scoring System
CVE - Common Vulns and Exposure
Regional Registry Coverage Map
Cryptography
Symmetric Encryption
Key pairs required =
Symmetric Algorithms
DES: 56bit key (8bit parity); fixed block
3DES: 168bit key; keys ≤ 3
AES: 128, 192, or 256; replaced DES
IDEA: 128bit key
Twofish: Block cipher key size ≤ 256bit
Blowfish: Rep. by AES; 64bit block
RC: incl. RC2 ―› RC6. 2,040key, RC6 (128bit
block)
Asymmetric Encryption
Public key = Encrypt, Private Key = Decrypt
Asymmetric Algorithms
Diffie-Hellman: key Exchange, used in SSL/
IPSec
ECC: Elliptical Curve. Low process power/
Mobile
EI Gamal: !=Primes, log problem to encrypt/
sign
RSA: 2 x Prime 4,096bit. Modern std.
Hash Algorithms
MD5: 128bit hash, expres as 32bit hex
SHA1: 160bit hash,rq 4 use in US apps
SHA2: 4 sep hash 224,256,384,512
Trust Models
Web of trust: Entities sign certs for each
other
Single Authority: CA at top. Trust based on PSH: Forces delivery without concern for
CA itself buffering
Hierarchical: CA at top. RA’s Under to RST: Forces comms termination in both direc-
manage certs tions
XMKS - XML PKI System SYN: Initial comms. Parameters and se-
quence #’s
Cryptography Attacks FIN: ordered close to communications
Known Plain-text: Search plaintext for re-
peatable sequences. Compare to t versions. DHCP
Ciphertext-only: Obtain several messages Client — Discover-> Server
with same algorithm. Analyze to reveal Client<—Offers—- Server
repeating code. Client —Request—> Server
Replay: Performed in MITM. Repeat Client<—-ACK—- Server
exchange to fool system in setting up a IP is removed from pool
comms channel.
Digital Certificate Scanning & Enumeration
Used to verify user identity = nonrepudia- ICMP Message Types
tion 0: Echo Reply: Answer to type 8 Echo Request
Version: Identifies format. Common = V1 3: Destination Unreachable: No host/ network
Serial: Uniquely identify the certificate Codes
Subject: Whoever/whatever being identi- 0 ― Destination network unreachable
fied by cert 1― Destination host unreachable
Algorithm ID: Algorithm used 6 ― Network unknown
Issuer: Entity that verifies authenticity of 7 ― Host unknown
certificate 9 ― Network administratively prohibited
Valid from/to: Certificate good through 10 ― Host administratively prohibited
dates 13 ― Communication administratively pro-
Key usage: Shows for what purpose cert habited
was made 4: Source Quench: Congestion control mes-
Subject’s public key: self-explanatory sage
Optional fields: e.g., Issuer ID, Subject Alt 5: Redirect: 2+ gateways for sender to use or
Name... the best route not the configured default
gateway
Reconnaissance Codes
Definition 0 ― redirect datagram for the network
Gathering information on targets, whereas 1 ― redirect datagram for the host
foot-printing is mapping out at a high level. 8: Echo Request: Ping message requesting
These are interchangeable in C|EH. echo
Google Hacking: 11: Time Exceeded: Packet too long be routed
Operator: keyword additional search items CIDR
site: Search only within domain Method of the representing IP Addresses IPv4
ext: File Extension Notation
loc: Maps Location /30=4 .225.252
intitle: keywords in title tag of page /28=16 .255.240
allintitle: any keywords can be in title /26=64 .255.192
inurl: keywords anywhere in url /24=256 . 255.0
allinurl: any of the keywords can be in url /22=1024 .248.0
incache: search Google cache only /20=4096 .240.0
DNS
port 53 nslokup (UDP), Zone xfer (TCP)
DNS record types
Service (SRV): hostname & port # of servers
Start of Authority (SOA): Primary name
server
Pointer (PTR): IP to Hostname; for reverse
DNS
Name Server (NS): NameServers with
namespace
Mail Exchange (MX): E-mail servers Port Numbers
CNAME: Aliases in zone. list multi services 0 — 1023: Well-known
in DNS 1024 — 49151: Registered
Address (A): IP to Hostname; for DNS 49152 — 65535: Dynamic
lookup Important Port Numbers
DNS footprinting: whois, nslookup, dig FTP: 20/21
SSH: 22
TCP Header Flags Telnet: 23
URG: Indicates data being sent out of band SMTP: 25
ACK: Ack to, and after SYN WINS: 42
 Remove Watermark Wondershare
PDFelement
TACACS: 49 nbtstat -r -purge name cache file. Cracking efforts on a separate system
DNS: 53 nbtstat -S 10 -display ses stats every 10 sec Non-electronic: Social Engineering
HTTP: 80 / 8080 1B ==master browser for the subnet Sidejacking
Kerbers: 88 1C == domain controller Steal cookies exchanged between systems
POP3: 110 1D == domain master browser and use tp perform a replay-style attack.
Portmapper (Linux): 111 Authentication Types
NNTP: 119 SNMP Type 1: Something you know
NTP: 123 Uses a community string for PW Type 2: Something you have
RPC-DCOM: 135 SNMPv3 encrypts the community strings Type 3: Something you are
NetBIOS/SMB: 137-139 Session Hijacking
IMAP: 143 Sniffing and Evasion Refers to the active attempt to steal an entire
SNMP: 161/162 IPv4 and IPv6 established session from a target
LDAP: 389 IPv4 == unicast, multicast, and broadcast 1. Sniff traffic between client and server
HTTPS: 443 IPv6 == unicast, multicast, and anycast. 2. Monitor traffic and predict sequence
CIFS: 445 IPv6 unicast and multicast scope includes 3. Desynchronise session with client
RADIUS: 1812 link local, site local and global. 4. Predict session token and take over session
RDP: 3389 5. Inject packets to the target server
IRC: 6667 MAC Address Kerberos
Printer: 515,631,9100 First half = 3 bytes (24bits) = Org UID Kerberos makes use of symmetric and asym-
Second half = unique number metric encryption technologies and involves:
Tini: 7777 KDC: Key Distribution Centre
NetBus: 12345 NAT (Network Address Translation) AS: Authentication Service
Back Orifice: 27374 Basic NAT is a one-to-one mapping where TGS: Ticket Granting Service
Sub7: 31337 each internal IP== a unique public IP. TGT: Ticket Granting Ticket
Nat overload (PAT) == port address trans- Process
HTTP Error Codes lation. Typically used as is the cheaper 1. Client asks KDC (who has AS and TGS) for
200 Series - OK option. ticket to authenticate throughout the net-
400 Series - Could not provide req work. this request is in clear text.
500 Series - Could not process req Stateful Inspection 2. Server responds with secret key. hashed by
Concerned with the connections. Doesn’t the password copy kept on AD server (TGT).
Nmap sniff ever packet, it just verifies if it’s a 3. TGT sent back to server requesting TGS if
Nmap is the de-facto tool for this pen- known connection, then passes along. user decrypts.
test phase 4. Server responds with ticket, and client can
Nmap <scan options> <target> HTTP Tunnelling log on and access network resources.
-sA: ACK scan -sF: FIN scan Crafting of wrapped segments through a SAM file
-sS:SYN -sT: TCP scan port rarely filtered by the Firewall (e.g., 80) C:\Windows\system32\config
-sI: IDLS scan -sn: PING sweep to carry payloads that may otherwise be
-sN: NULL -sS: Stealth Scan blocked. Registry
-sR: RPC scan -Po: No ping 2 elements make a registry setting: a key
-sW: Window -sX: XMAS tree scan Snort IDS (location pointer), and valu (define the key
-PI: ICMP ping - PS: SYN ping It has 3 modes: setting).
-PT: TCP ping -oN: Normal output Sniffer/Packet logger/ Network IDS. Rot level keys are as follows:
-oX: XML output -A OS/Vers/Script Config file: /etc/snort, or c:\snort\etc HKEY_LOCAL_MACHINE_Info on Hard/soft-
-T<0-4>: Slow - Fast #~alert tcp!HOME_NET any ->$HOME_ ware
Scan Types NET 31337 (msg : “BACKDOOR AT- HKEY_CLASSES_ROOT ― Info on file associ-
TCP: 3 way handshake on all ports. TEMPT-Back-orifice.”) ations and Object Linking and Embedding
Open = SYN/ACK, Closed = RST/ACK Any packet from any address !=home net- (OLE) classes
SYN: SYN packets to ports (incomplete hand- work. Using any source port, intended for HKEY_CURRENT_USER ― Profile info on
shake). an address in home network on port 31337, current user
Open = SYN/ ACK, Closed = RST/ ACK send msg. HKEY_USERS ― User config info for all active
FIN: Packet with FIN flag set Span port: port mirroring users
Open = no response, Closed = RST False Negative: IDS incorrectly reports HEKY_CURRENT-CONFIG―pointer to\hard-
XMAS: Multiple flags set (fin, URG, and PSH) stream clean ware Profiles\.
Binary Header: 00101001 IDS Evasion Tactics HEKY_LOCAL-MACHINE\Software\Micro-
Open = no response, Closed = RST Slow down OR flood the network (and soft\Windows\CurrentVersion
ACK: Used for Linux/Unix systems sneak through in the mix) OR fragmentation \RunServicesOnce
Open = RST, Closed = no response TCPdump syntax \RunServices
IDLE: Spoofed IP, SYN flag, designed for #~tcpdump flag(s) interface \Run Once
stealth. \Run
Open = SYN/ACK, Closed= RST/ACK Social Engineering
Attacking a System
C|EH rules for passwords Human based attacks
NULL: No flags set. Responses vary by OS. Dumpster diving
Must not contain user’s name. Min 8 chars. 3
NULL scans are designed for Linux/ Unix Impersonation
of 4 complexity components. E.g., Special,
machines. Technical Support
Number, Uppercase, Lowercase
LM Hashing Should Surfing
NetBIOS Tailgating/ Piggybacking
7 spaces hashed: AAD3B435B51404EE
nbstat
Attack types
nbtstat -a COMPUTER 190 Computer based attacks
Passive Online: Sniffing wire, intercept
nbtstat -A 192.168.10.12 remote table Phishing - Email SCAM
cleartext password / replay / MITM
nbtstat -n local name table Whaling - Targeting CEO’s
Active Online: Password guessing. Offline:
nbtstat -c local name cache Pharming - Evil Twin Website
Steal copy of password i.e., SAM
 Remove Watermark Wondershare
PDFelement
Spec Dist Speed Freq net and software client fallback to SSL 3.0.
Types of Social Engineers 802.11a 30m 54 Mbps 5GHz Shellshock: CVE-2014-6271
Insider Associates: Limited Authorized 802.11b 100m 11 Mbps 2.4 GHz Exploit a vuln that executes codes inside the ‘
Access 802.11g 100m 54 Mbps 2.4 GHz ’ where the text should not be exe.
Insider Affiliates: Insiders by virtue of Affilia- 802.11n 125m 100 Mbps+ 2.4/5GHz ILOVEYOU: A worm originating in the Philip-
tion that spoof the identity of the Insider pines. Started in May 5, 2000, and was built
Outsider Affiliates: Non-trusted outsider that Bluetooth Attacks on a VBS macro in Microsoft word/excel/
use an access point that was left open Bluesmacking: DoS against a device templates.
Bluejacking: Sending messages to/from MELISSA: Email virus based on MS word mac-
Physical Security devices ro. Created in 1999 by David L. Smith.
3 major categories of Physical Security Bluesniffing: Sniffs for Bluetooth
measures Bluesnarfing: actual theft of data from a Linux Commands
Physical measures: Things you taste, touch, device Linux File System
smell / -Root
Technical measures: smart cards, biometrics Trojans and Other Attacks /var -Variable Data / Log Files
Operational measures: policies and proce- Virus Types /bin -Biniaries / User Commands
dures Boot: Moves boot sector to another loca- /sbin -Sys Binaries / Admin Commands
tion. Almost impossible to remove. /root -Home dir for root user
Web-based Hacking Camo: Disguise as legit files. /boot -Store kernel
CSRF - Cross Site Request Forgery Cavity: Hides in empty areas in exe. Marco: /proc -Direct access to kernel
Dot-dot-slash Attack Written in MS Office Macro Language /dev -Hardware storage devices
Variant of Unicode or un-validated input Multipartite: Attempts to infect files and /mnt -Mount devices
attack boot sector at same time. Identifying Users and Processes
SQL Injection attack types Metamorphic virus: Rewrites itself when it INIT process ID 1
Union Query: Use the UNION command to infects a new file. Root UID, GID 0
return the union of target Db with a crafted Network: Spreads via network shares. Accounts of Services 1-999
Db Polymorphic Code virus: Encrypts itself All other users Above 1000
Tautology: Term used to describe behavior using built-in polymorphic engine. Permissions
of a Db when deciding if a statement is true. Constantly changing signature makes it 4 - Read
Blind SQL Injection: Trial and Error with no hard to detect. 2 - Write
responses or prompts. Shell virus: Like boot sector but wrapped 1 - Execute
Error based SQL Injection: Enumeration around application code, and run on appli- User/Group/Others
technique. Inject poorly constructed com- cation start. 764 - User>RWX, Grp>RW, Other>R
mands to have Db respond with table names Stealth: Hides in files, copies itself to deliv- Snort
and other information er payload. action protocol address port -> address port
DOS Types (option:value;option:value)
Buffer Overflow SYN Attack: Send thousands of SYN packets alert tcp 10.0.0.1 25 -> 10.0.0.2 25
A condition that occurs when more data is with a false IP address. Target will attempt (msg:”Sample Alert”; sid:1000;)
written to a buffer than it has space to store SYN/ACK response. All machine resources
and results in data corruption. Caused by will be engaged. Command Line Tools
insufficient bounds checking, a bug, or poor SYN Flood: Send thousands of SYN Packets NMap
configuration in the program code. but never respond to any of the returned nmap -sT -T5 -n -p 1-100 10.0.0.1
Stack: Premise is all program calls are kept in SYN/ACK packets. Target will run out of Netcat
a stack and performed in order.Try to change available connections. nc -v -z -w 2 10.0.0.1
a function pointer or variable to allow code ICMP Flood: Send ICMP Echo packets with TCPdump
exe a fake source address. Target attempts to tcpdump -i eth0 -v -X ip proto 1
Heap: Takes advantage of memory “on top respond but reaches a limit of packets sent Snort
of” the application (dynamically allocated). per second. snort -vde -c my.rules 1
Use program to overwrite function pointers Application level: Send “legitimate” traffic hping
NOP Sled: Takes advantage of instruction to a web application than it can handle. hping3 -I -eth0 -c 10 -a 2.2.2.2 -t 100 10.0.0.1
called “no-op”. Sends a large # of NOP in- Smurf: Send large number of pings to iptables
structions into buffer. Most IDS protect from the broadcast address of the subnet with iptables -A FORWARD -j ACCEPT -p tcp ―dport
this attack. source IP spoofed to target. Subnet will 80
Dangerous SQL functions send ping responses to target.
Tools of the Trade
The following do not check size of destination Fraggle Attack: Similar to Smurf but uses Vulnerability Research
buffers: UDP.
National Vuln Db
gets() strcpy() stract() printf() Ping of Death: Attacker fragments ICMP
Eccouncil.org
message to send to target. When the frag-
Exploit -db
ments are reassembled, the resultant ICMP
Wireless Network Hacking Foot-printing
packet is larger than max size and crashes
Wireless sniffing Website Research Tools
the system
Compatible wireless adapter with promiscu- Netcraft
ous mode is required, but otherwise pretty Webmaster
Viruses
much the same as sniffing wired. Archive
Heartbleed: CVE-2014-0160
802.11 Specifications DNS and Whois Tools
Founded by Neel Mehta, Heartbleed is a
WEP: RC4 with 24bit vector. Kers are 40 or Nslookup
vulnerability with heartbeat in OpenSSL
104bit Sam Spacde
software Library. Allowed for MITM to steal
WAP: RC4 supports longer keys; 48bit IV ARIN
information protected under normal condi-
WPA/TKIP: Changes IV each frame and key WhereisIP
tions by SSL/TLS encryption.
mixing DNSstuff
POODLE: CVE-2014-3566
WPA2: AES + TKIP features; 48bit IV DNS-Digger
MITM exploit which took advantage of inter-
 Remove Watermark Wondershare
PDFelement
Website Mirroring Actual Spy Wireless
Wget Ghost Kismet
Archive Hiddern Recorder Netstumbler
GoogleCache Desktop Spy MAC Flooding/Spoofing
Scanning and Enumeration USB Grabber Macof
Ping Sweep Privilege Escalation SMAC
Angry IP Scanner Password Recovery Boot Disk ARP Poisoning
MegaPing Password Reset Cain
Scanning Tools Password Recovery UfaSoft
SuperScan System Recovery WinARP Attacker
NMap (Zenmap) Executing Applications Wireless
NetScan Tools Pro PDQ Deploy Discovery
Hping RemoteExec Kismet
Netcat Dameware NetStumbler
War Dialing Spyware insider
THC-Scan Remote Desktop Spy NetSurveyor
TeleSweep Activity Monitor Packet Sniffing
ToneLoc OSMomitor Cascade Pilot
WarVox SSPro Omnipeek
Banner Grabbing Spector Pro Comm View
Telnet Covering Tracks Capsa
ID Serve ELsave WEP/WPA Cracking
Netcraft Cleaner Aircrack
Xprobe EraserPro KisMac
Vulnerability Scanning Evidence Eliminator Wireless Security Auditor
Nessus Packet Craftin/Spoofing WepAttack
SAINT Komodia WepCrack
Retina Hping2 coWPatty
Core Impact PackEth Bluetooth
Nikto Packet Generator BTBrowser
Network Mapping Netscan BH Bluejack
NetMapper Scapy BTScanner
LANState Nemesis Bluesnarfer
IPSonar Session Hijacking Mobile Device Tracking
Proxy, Anonymizer, and Tunneling Paros Proxy Wheres My Droid
Tor Burp Suite Find My Phone
ProxySwitcher Firesheep GadgetTrack
ProxyChains Hamster/Ferret iHound
SoftCab Ettecap Trojans and Malware
HTTP Tunnel Hunt Wrappers
Anonymouse Cryptography and Encryption Elite Wrap
Enumeration Encryption Monitoring Tools
SuperScan TureCrypt HiJackThis
User2Sid/Sid2User BitLocker CurrPorts
LDAP Admin DriveCrpyt Fport
Xprobe Hash Tools Attack Tools
Hyena MD5 Hash Netcat
SNMP Enumeration Hash Calc Nemesis
SolarWinds Steganography IDS
SNMPUtil XPTools Snort
SNMPScanner ImageHide Evasion Tools
System Hacking Tools Merge Streams ADMutate
Password Hacking StegParty NIDSBench
Cain gifShuffle IDSInformer
John the Ripper QuickStego Inundator
LCP InvisibleSecrets Web Attacks
THC-Hydra EZStego Wfetch
ElcomSoft OmniHidePro Httprecon
Aircrack Cryptanalysis ID Serve
Rainbow Crack Cryptanalysis WebSleuth
Brutus Cryptobench Black Widow
KerbCrack Sniffing CookieDigger
Sniffing Packet Capture Nstalker
Wireshark Wireshark NetBrute
Ace CACE SQL Injection
KerbSniff tcpdump BSQL Hacker
Ettercap Capsa Marathon
Keyloggers and Screen Capture OmniPeek SQL Injection Brute
KeyProwler Windump SQL Brute
Ultimate Keylogger dnsstuff SQLNinja
All in one Keylogger EtherApe SQLGET

FindmoreStationXCheatSheetshere-
h t t p s : / / w w w . s t a t i o n x . n e t / c a t e g o r y / c h e a t - s h e e ts /