Certified-Ethical-Hacker-(CEH-v11)-Cheat-Sheet

Certified Ethical Hacker (CEH) Exam Cheat Sheet Basics Single Authority: CA at top. Trust based on PSH: Forces delivery without concern for CA itself buffering 5 phases to a penetration test Hierarchical: CA at top. RA’s Under to RST: Forces comms termination in both direc- Reconnaissance manage certs tions Scanning & Enumeration XMKS - XML PKI System SYN: Initial comms. Parameters and se- Gaining Access quence #’s Maintaining Access Cryptography Attacks FIN: ordered close to communications Covering Tracks Known Plain-text: Search plaintext for re- DHCP Attack Types peatable sequences. Compare to t versions. Client — Discover-> Server OS: Attacks targeting default OS settings Ciphertext-only: Obtain several messages Client<—Offers—- Server App level: Application code attacks with same algorithm. Analyze to reveal Client —Request—> Server Shrink Wrap: off-the-shelf scripts and code repeating code. Client<—-ACK—- Server Misconfiguration: not configured well Replay: Performed in MITM. Repeat IP is removed from pool exchange to fool system in setting up a Legal comms channel. Scanning & Enumeration Digital Certificate 18 U.S.C 1029 & 1030 Used to verify user identity = nonrepudia- ICMP Message Types RFC 1918 - Private IP Standard tion 0: Echo Reply: Answer to type 8 Echo Request RFC 3227 - Collecting and storing data Version: Identifies format. Common = V1 3: Destination Unreachable: No host/ network ISO 27002 - InfoSec Guidelines Serial: Uniquely identify the certificate Codes CAN-SPAM - email marketing Subject: Whoever/whatever being identi- 0 ― Destination network unreachable SPY-Act - License Enforcement fied by cert 1― Destination host unreachable DMCA - Intellectual Property Algorithm ID: Algorithm used 6 ― Network unknown SOX - Corporate Finance Processes Issuer: Entity that verifies authenticity of 7 ― Host unknown GLBA - Personal Finance Data certificate 9 ― Network administratively prohibited FERPA - Education Records Valid from/to: Certificate good through 10 ― Host administratively prohibited FISMA - Gov Networks Security Std dates 13 ― Communication administratively pro- CVSS - Common Vuln Scoring System Key usage: Shows for what purpose cert habited CVE - Common Vulns and Exposure was made 4: Source Quench: Congestion control mes- Regional Registry Coverage Map Subject’s public key: self-explanatory sage Optional fields: e.g., Issuer ID, Subject Alt 5: Redirect: 2+ gateways for sender to use or Cryptography Name... the best route not the configured default gateway Symmetric Encryption Reconnaissance Codes Key pairs required = 0 ― redirect datagram for the network Symmetric Algorithms Definition 1 ― redirect datagram for the host DES: 56bit key (8bit parity); fixed block Gathering information on targets, whereas 8: Echo Request: Ping message requesting 3DES: 168bit key; keys ≤ 3 foot-printing is mapping out at a high level. echo AES: 128, 192, or 256; replaced DES These are interchangeable in C|EH. 11: Time Exceeded: Packet too long be routed IDEA: 128bit key Google Hacking: CIDR Twofish: Block cipher key size ≤ 256bit Operator: keyword additional search items Method of the representing IP Addresses IPv4 Blowfish: Rep. by AES; 64bit block site: Search only within domain Notation RC: incl. RC2 ―› RC6. 2,040key, RC6 (128bit ext: File Extension /30=4 .225.252 block) loc: Maps Location /28=16 .255.240 Asymmetric Encryption intitle: keywords in title tag of page /26=64 .255.192 Public key = Encrypt, Private Key = Decrypt allintitle: any keywords can be in title /24=256 . 255.0 Asymmetric Algorithms inurl: keywords anywhere in url /22=1024 .248.0 Diffie-Hellman: key Exchange, used in SSL/ allinurl: any of the keywords can be in url /20=4096 .240.0 IPSec incache: search Google cache only ECC: Elliptical Curve. Low process power/ DNS Port Numbers Mobile port 53 nslokup (UDP), Zone xfer (TCP) 0 — 1023: Well-known EI Gamal: !=Primes, log problem to encrypt/ DNS record types 1024 — 49151: Registered sign Service (SRV): hostname & port # of servers 49152 — 65535: Dynamic RSA: 2 x Prime 4,096bit. Modern std. Start of Authority (SOA): Primary name Important Port Numbers Hash Algorithms server FTP: 20/21 MD5: 128bit hash, expres as 32bit hex Pointer (PTR): IP to Hostname; for reverse SSH: 22 SHA1: 160bit hash,rq 4 use in US apps DNS Telnet: 23 SHA2: 4 sep hash 224,256,384,512 Name Server (NS): NameServers with SMTP: 25 Trust Models namespace WINS: 42 Web of trust: Entities sign certs for each Mail Exchange (MX): E-mail servers other CNAME: Aliases in zone. list multi services in DNS Address (A): IP to Hostname; for DNS lookup DNS footprinting: whois, nslookup, dig TCP Header Flags URG: Indicates data being sent out of band ACK: Ack to, and after SYN

TACACS: 49 nbtstat -r -purge name cache file. Cracking efforts on a separate system DNS: 53 nbtstat -S 10 -display ses stats every 10 sec Non-electronic: Social Engineering HTTP: 80 / 8080 1B ==master browser for the subnet Sidejacking Kerbers: 88 1C == domain controller Steal cookies exchanged between systems POP3: 110 1D == domain master browser and use tp perform a replay-style attack. Portmapper (Linux): 111 NNTP: 119 SNMP Authentication Types NTP: 123 Uses a community string for PW Type 1: Something you know RPC-DCOM: 135 SNMPv3 encrypts the community strings Type 2: Something you have NetBIOS/SMB: 137-139 Type 3: Something you are IMAP: 143 SNMP: 161/162 Sniffing and Evasion Session Hijacking LDAP: 389 Refers to the active attempt to steal an entire HTTPS: 443 IPv4 and IPv6 established session from a target CIFS: 445 IPv4 == unicast, multicast, and broadcast 1. Sniff traffic between client and server RADIUS: 1812 IPv6 == unicast, multicast, and anycast. 2. Monitor traffic and predict sequence RDP: 3389 IPv6 unicast and multicast scope includes 3. Desynchronise session with client IRC: 6667 link local, site local and global. 4. Predict session token and take over session Printer: 515,631,9100 5. Inject packets to the target server Tini: 7777 NetBus: 12345 MAC Address Kerberos Back Orifice: 27374 First half = 3 bytes (24bits) = Org UID Kerberos makes use of symmetric and asym- Sub7: 31337 Second half = unique number metric encryption technologies and involves: KDC: Key Distribution Centre HTTP Error Codes NAT (Network Address Translation) AS: Authentication Service 200 Series - OK Basic NAT is a one-to-one mapping where TGS: Ticket Granting Service 400 Series - Could not provide req each internal IP== a unique public IP. TGT: Ticket Granting Ticket 500 Series - Could not process req Nat overload (PAT) == port address trans- Process lation. Typically used as is the cheaper 1. Client asks KDC (who has AS and TGS) for Nmap option. ticket to authenticate throughout the net- Nmap is the de-facto tool for this pen- work. this request is in clear text. test phase Stateful Inspection 2. Server responds with secret key. hashed by Concerned with the connections. Doesn’t the password copy kept on AD server (TGT). Nmap <scan options> <target> sniff ever packet, it just verifies if it’s a 3. TGT sent back to server requesting TGS if -sA: ACK scan -sF: FIN scan known connection, then passes along. user decrypts. -sS:SYN -sT: TCP scan 4. Server responds with ticket, and client can -sI: IDLS scan -sn: PING sweep HTTP Tunnelling log on and access network resources. -sN: NULL -sS: Stealth Scan Crafting of wrapped segments through a SAM file -sR: RPC scan -Po: No ping port rarely filtered by the Firewall (e.g., 80) C:\\Windows\\system32\\config -sW: Window -sX: XMAS tree scan to carry payloads that may otherwise be -PI: ICMP ping - PS: SYN ping blocked. Registry -PT: TCP ping -oN: Normal output 2 elements make a registry setting: a key -oX: XML output -A OS/Vers/Script Snort IDS (location pointer), and valu (define the key -T<0-4>: Slow - Fast It has 3 modes: setting). Sniffer/Packet logger/ Network IDS. Rot level keys are as follows: Scan Types Config file: /etc/snort, or c:\\snort\\etc HKEY_LOCAL_MACHINE_Info on Hard/soft- TCP: 3 way handshake on all ports. #~alert tcp!HOME_NET any ->$HOME_ ware Open = SYN/ACK, Closed = RST/ACK NET 31337 (msg : “BACKDOOR AT- HKEY_CLASSES_ROOT ― Info on file associ- SYN: SYN packets to ports (incomplete hand- TEMPT-Back-orifice.”) ations and Object Linking and Embedding shake). Any packet from any address !=home net- (OLE) classes Open = SYN/ ACK, Closed = RST/ ACK work. Using any source port, intended for HKEY_CURRENT_USER ― Profile info on FIN: Packet with FIN flag set an address in home network on port 31337, current user Open = no response, Closed = RST send msg. HKEY_USERS ― User config info for all active XMAS: Multiple flags set (fin, URG, and PSH) Span port: port mirroring users False Negative: IDS incorrectly reports HEKY_CURRENT-CONFIG―pointer to\\hard- Binary Header: 00101001 stream clean ware Profiles\\. Open = no response, Closed = RST IDS Evasion Tactics HEKY_LOCAL-MACHINE\\Software\\Micro- ACK: Used for Linux/Unix systems Slow down OR flood the network (and soft\\Windows\\CurrentVersion Open = RST, Closed = no response sneak through in the mix) OR fragmentation IDLE: Spoofed IP, SYN flag, designed for TCPdump syntax \\RunServicesOnce stealth. #~tcpdump flag(s) interface \\RunServices Open = SYN/ACK, Closed= RST/ACK \\Run Once \\Run Attacking a System Social Engineering NULL: No flags set. Responses vary by OS. C|EH rules for passwords Human based attacks NULL scans are designed for Linux/ Unix Must not contain user’s name. Min 8 chars. 3 Dumpster diving machines. of 4 complexity components. E.g., Special, Impersonation Number, Uppercase, Lowercase Technical Support Should Surfing NetBIOS LM Hashing Tailgating/ Piggybacking nbstat 7 spaces hashed: AAD3B435B51404EE nbtstat -a COMPUTER 190 nbtstat -A 192.168.10.12 remote table Attack types Computer based attacks nbtstat -n local name table Passive Online: Sniffing wire, intercept Phishing - Email SCAM nbtstat -c local name cache cleartext password / replay / MITM Whaling - Targeting CEO’s Active Online: Password guessing. Offline: Pharming - Evil Twin Website Steal copy of password i.e., SAM

Types of Social Engineers Spec Dist Speed Freq net and software client fallback to SSL 3.0. Insider Associates: Limited Authorized 802.11a 30m 54 Mbps 5GHz Shellshock: CVE-2014-6271 Access 802.11b 100m 11 Mbps 2.4 GHz Exploit a vuln that executes codes inside the ‘ Insider Affiliates: Insiders by virtue of Affilia- 802.11g 100m 54 Mbps 2.4 GHz ’ where the text should not be exe. tion that spoof the identity of the Insider 802.11n 125m 100 Mbps+ 2.4/5GHz ILOVEYOU: A worm originating in the Philip- Outsider Affiliates: Non-trusted outsider that pines. Started in May 5, 2000, and was built use an access point that was left open Bluetooth Attacks on a VBS macro in Microsoft word/excel/ Bluesmacking: DoS against a device templates. Physical Security Bluejacking: Sending messages to/from MELISSA: Email virus based on MS word mac- devices ro. Created in 1999 by David L. Smith. 3 major categories of Physical Security Bluesniffing: Sniffs for Bluetooth measures Bluesnarfing: actual theft of data from a Linux Commands Physical measures: Things you taste, touch, device smell Linux File System Technical measures: smart cards, biometrics Trojans and Other Attacks / -Root Operational measures: policies and proce- /var -Variable Data / Log Files dures Virus Types /bin -Biniaries / User Commands Boot: Moves boot sector to another loca- /sbin -Sys Binaries / Admin Commands Web-based Hacking tion. Almost impossible to remove. /root -Home dir for root user Camo: Disguise as legit files. /boot -Store kernel CSRF - Cross Site Request Forgery Cavity: Hides in empty areas in exe. Marco: /proc -Direct access to kernel Dot-dot-slash Attack Written in MS Office Macro Language /dev -Hardware storage devices Variant of Unicode or un-validated input Multipartite: Attempts to infect files and /mnt -Mount devices attack boot sector at same time. SQL Injection attack types Metamorphic virus: Rewrites itself when it Identifying Users and Processes Union Query: Use the UNION command to infects a new file. INIT process ID 1 return the union of target Db with a crafted Network: Spreads via network shares. Root UID, GID 0 Db Polymorphic Code virus: Encrypts itself Accounts of Services 1-999 Tautology: Term used to describe behavior using built-in polymorphic engine. All other users Above 1000 of a Db when deciding if a statement is true. Constantly changing signature makes it Blind SQL Injection: Trial and Error with no hard to detect. Permissions responses or prompts. Shell virus: Like boot sector but wrapped 4 - Read Error based SQL Injection: Enumeration around application code, and run on appli- 2 - Write technique. Inject poorly constructed com- cation start. 1 - Execute mands to have Db respond with table names Stealth: Hides in files, copies itself to deliv- User/Group/Others and other information er payload. 764 - User>RWX, Grp>RW, Other>R Buffer Overflow DOS Types Snort A condition that occurs when more data is SYN Attack: Send thousands of SYN packets action protocol address port -> address port written to a buffer than it has space to store with a false IP address. Target will attempt (option:value;option:value) and results in data corruption. Caused by SYN/ACK response. All machine resources alert tcp 10.0.0.1 25 -> 10.0.0.2 25 insufficient bounds checking, a bug, or poor will be engaged. (msg:”Sample Alert”; sid:1000;) configuration in the program code. SYN Flood: Send thousands of SYN Packets Stack: Premise is all program calls are kept in but never respond to any of the returned Command Line Tools a stack and performed in order.Try to change SYN/ACK packets. Target will run out of a function pointer or variable to allow code available connections. NMap exe ICMP Flood: Send ICMP Echo packets with nmap -sT -T5 -n -p 1-100 10.0.0.1 Heap: Takes advantage of memory “on top a fake source address. Target attempts to Netcat of” the application (dynamically allocated). respond but reaches a limit of packets sent nc -v -z -w 2 10.0.0.1 Use program to overwrite function pointers per second. TCPdump NOP Sled: Takes advantage of instruction Application level: Send “legitimate” traffic tcpdump -i eth0 -v -X ip proto 1 called “no-op”. Sends a large # of NOP in- to a web application than it can handle. Snort structions into buffer. Most IDS protect from Smurf: Send large number of pings to snort -vde -c my.rules 1 this attack. the broadcast address of the subnet with hping Dangerous SQL functions source IP spoofed to target. Subnet will hping3 -I -eth0 -c 10 -a 2.2.2.2 -t 100 10.0.0.1 The following do not check size of destination send ping responses to target. iptables buffers: Fraggle Attack: Similar to Smurf but uses iptables -A FORWARD -j ACCEPT -p tcp ―dport gets() strcpy() stract() printf() UDP. 80 Ping of Death: Attacker fragments ICMP Wireless Network Hacking message to send to target. When the frag- Tools of the Trade ments are reassembled, the resultant ICMP Wireless sniffing packet is larger than max size and crashes Vulnerability Research Compatible wireless adapter with promiscu- the system National Vuln Db ous mode is required, but otherwise pretty Eccouncil.org much the same as sniffing wired. Viruses Exploit -db 802.11 Specifications Heartbleed: CVE-2014-0160 Foot-printing WEP: RC4 with 24bit vector. Kers are 40 or Founded by Neel Mehta, Heartbleed is a Website Research Tools 104bit vulnerability with heartbeat in OpenSSL Netcraft WAP: RC4 supports longer keys; 48bit IV software Library. Allowed for MITM to steal Webmaster WPA/TKIP: Changes IV each frame and key information protected under normal condi- Archive mixing tions by SSL/TLS encryption. DNS and Whois Tools WPA2: AES + TKIP features; 48bit IV POODLE: CVE-2014-3566 Nslookup MITM exploit which took advantage of inter- Sam Spacde ARIN WhereisIP DNSstuff DNS-Digger

Website Mirroring Actual Spy Wireless Wget Ghost Kismet Archive Hiddern Recorder Netstumbler GoogleCache Desktop Spy MAC Flooding/Spoofing Scanning and Enumeration USB Grabber Macof Ping Sweep Privilege Escalation SMAC Angry IP Scanner Password Recovery Boot Disk ARP Poisoning MegaPing Password Reset Cain Scanning Tools Password Recovery UfaSoft SuperScan System Recovery WinARP Attacker NMap (Zenmap) Executing Applications Wireless NetScan Tools Pro PDQ Deploy Discovery Hping RemoteExec Kismet Netcat Dameware NetStumbler War Dialing Spyware insider THC-Scan Remote Desktop Spy NetSurveyor TeleSweep Activity Monitor Packet Sniffing ToneLoc OSMomitor Cascade Pilot WarVox SSPro Omnipeek Banner Grabbing Spector Pro Comm View Telnet Covering Tracks Capsa ID Serve ELsave WEP/WPA Cracking Netcraft Cleaner Aircrack Xprobe EraserPro KisMac Vulnerability Scanning Evidence Eliminator Wireless Security Auditor Nessus Packet Craftin/Spoofing WepAttack SAINT Komodia WepCrack Retina Hping2 coWPatty Core Impact PackEth Bluetooth Nikto Packet Generator BTBrowser Network Mapping Netscan BH Bluejack NetMapper Scapy BTScanner LANState Nemesis Bluesnarfer IPSonar Session Hijacking Mobile Device Tracking Proxy, Anonymizer, and Tunneling Paros Proxy Wheres My Droid Tor Burp Suite Find My Phone ProxySwitcher Firesheep GadgetTrack ProxyChains Hamster/Ferret iHound SoftCab Ettecap Trojans and Malware HTTP Tunnel Hunt Wrappers Anonymouse Cryptography and Encryption Elite Wrap Enumeration Encryption Monitoring Tools SuperScan TureCrypt HiJackThis User2Sid/Sid2User BitLocker CurrPorts LDAP Admin DriveCrpyt Fport Xprobe Hash Tools Attack Tools Hyena MD5 Hash Netcat SNMP Enumeration Hash Calc Nemesis SolarWinds Steganography IDS SNMPUtil XPTools Snort SNMPScanner ImageHide Evasion Tools System Hacking Tools Merge Streams ADMutate Password Hacking StegParty NIDSBench Cain gifShuffle IDSInformer John the Ripper QuickStego Inundator LCP InvisibleSecrets Web Attacks THC-Hydra EZStego Wfetch ElcomSoft OmniHidePro Httprecon Aircrack Cryptanalysis ID Serve Rainbow Crack Cryptanalysis WebSleuth Brutus Cryptobench Black Widow KerbCrack Sniffing CookieDigger Sniffing Packet Capture Nstalker Wireshark Wireshark NetBrute Ace CACE SQL Injection KerbSniff tcpdump BSQL Hacker Ettercap Capsa Marathon Keyloggers and Screen Capture OmniPeek SQL Injection Brute KeyProwler Windump SQL Brute Ultimate Keylogger dnsstuff SQLNinja All in one Keylogger EtherApe SQLGET FindmoreStationXCheatSheetshere- h t t p s : / / w w w . s t a t i o n x . n e t / c a t e g o r y / c h e a t - s h e e ts /