Certifi ed Ethical Hacker - pearsoncmg.com

1 Certified Ethical Hacker (CEH) Cert Guide Michael Gregg 800 East 96th Street Indianapolis, Indiana 46240 USA. Certified Ethical Hacker (CEH) Cert Guide Associate Publisher Copyright 2014 by Pearson Education, Inc. Dave Dusthimer All rights reserved. No part of this book shall be reproduced, stored in Acquisitions Editor a retrieval system, or transmitted by any means, electronic, mechanical, Betsy Brown photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the Development Editor information contained herein. Although every precaution has been taken in Ellie C. Bru the preparation of this book, the publisher and author assume no respon- Managing Editor sibility for errors or omissions. Nor is any liability assumed for damages Sandra Schroeder resulting from the use of the information contained herein. ISBN-13: 978-0-7897-5127-0 Senior Project Editor ISBN-10: 0-7897-5127-5 Tonya Simpson Copy Editor Library of Congress Control Number: 2013953303 Keith Cline Printed in the United States of America Indexer Second Printing: May 2014 Tim Wright Trademarks Proofreader All terms mentioned in this book that are known to be trademarks or ser- Kathy Ruiz vice marks have been appropriately capitalized.

2 Pearson IT Certi cation Technical Editors cannot attest to the accuracy of this information. Use of a term in this book Brock Pearson should not be regarded as affecting the validity of any trademark or service Tatyana Zidarov mark. Publishing Coordinator Warning and Disclaimer Vanessa Evans Every effort has been made to make this book as complete and as accurate as possible, but no warranty or tness is implied. The information provided Media Producer is on an as is basis. The author and the publisher shall have neither li- Lisa Matthews ability nor responsibility to any person or entity with respect to any loss or Book Designer damages arising from the information contained in this book or from the Alan Clements use of the CD or programs accompanying it. Compositor Bulk Sales Jake McFarland Pearson IT Certi cation offers excellent discounts on this book when or- dered in quantity for bulk purchases or special sales. For more information, please contact Corporate and Government Sales 1-800-382-3419.

3 For sales outside of the , please contact International Sales Contents at a Glance Introduction xxiii CHAPTER 1 Ethical Hacking Basics 3. CHAPTER 2 The Technical Foundations of Hacking 39. CHAPTER 3 Footprinting and Scanning 77. CHAPTER 4 Enumeration and System Hacking 137. CHAPTER 5 Linux and Automated Assessment Tools 173. CHAPTER 6 Trojans and Backdoors 213. CHAPTER 7 Sniffers, Session Hijacking, and Denial of Service 251. CHAPTER 8 Web Server Hacking, Web Applications, and Database Attacks 297. CHAPTER 9 Wireless Technologies, Mobile Security, and Attacks 341. CHAPTER 10 IDS, Firewalls, and Honeypots 381. CHAPTER 11 Buffer Overflows, Viruses, and Worms 417. CHAPTER 12 Cryptographic Attacks and Defenses 453. CHAPTER 13 Physical Security and Social Engineering 493. CHAPTER 14 Final Preparation 527. Glossary 535. Practice Exam I 561. Practice Exam II 603. Index 646. APPENDIX A Answers to the Do I Know This Already? Quizzes and Review Questions (CD only). APPENDIX B Memory Tables (CD only).

4 APPENDIX C Memory Table Answer Key (CD only). iv Certified Ethical Hacker (CEH) Cert Guide Table of Contents Introduction xxiii Chapter 1 Ethical Hacking Basics 3. Do I Know This Already? Quiz 3. Foundation Topics 6. Security Fundamentals 6. Goals of Security 7. Risk, Assets, Threats, and Vulnerabilities 8. Defining an Exploit 10. Security Testing 10. No-Knowledge Tests (Black Box) 11. Full-Knowledge Testing (White Box) 11. Partial-Knowledge Testing (Gray Box) 11. Types of Security Tests 12. Hacker and Cracker Descriptions 13. Who Attackers Are 15. Hacker and Cracker History 16. Ethical Hackers 17. Required Skills of an Ethical Hacker 18. Modes of Ethical Hacking 19. Test Plans Keeping It Legal 21. Test Phases 23. Establishing Goals 24. Getting Approval 25. Ethical Hacking Report 25. Vulnerability Research Keeping Up with Changes 26. Ethics and Legality 27. Overview of Federal Laws 28. Compliance Regulations 30. Chapter Summary 31. Exam Preparation Tasks 32. Review All Key Topics 32.

5 Hands-On Labs 32. Lab 1-1 Examining Security Policies 32. Table of Contents v Review Questions 33. Define Key Terms 36. View Recommended Resources 36. Chapter 2 The Technical Foundations of Hacking 39. Do I Know This Already? Quiz 39. Foundation Topics 42. The Attacker's Process 42. Performing Reconnaissance and Footprinting 42. Scanning and Enumeration 43. Gaining Access 44. Escalation of Privilege 45. Maintaining Access 45. Covering Tracks and Planting Backdoors 45. The Ethical Hacker 's Process 46. National Institute of Standards and Technology 47. Operational Critical Threat, Asset, and Vulnerability Evaluation 47. Open Source Security Testing Methodology Manual 48. Security and the Stack 48. The OSI Model 48. Anatomy of TCP/IP Protocols 51. The Application Layer 53. The Transport Layer 57. The Internet Layer 60. The Network Access Layer 65. Chapter Summary 67. Exam Preparation Tasks 67. Review All Key Topics 67. Define Key Terms 68. Exercises 68. Install a Sniffer and Perform Packet Captures 68.

6 List the Protocols, Applications, and Services Found at Each Layer of the Stack 70. Review Questions 71. Suggested Reading and Resources 75. vi Certified Ethical Hacker (CEH) Cert Guide Chapter 3 Footprinting and Scanning 77. Do I Know This Already? Quiz 77. Foundation Topics 80. The Seven-Step Information-Gathering Process 80. Information Gathering 80. Documentation 80. The Organization's Website 81. Job Boards 83. Employee and People Searches 84. EDGAR Database 87. Google Hacking 88. Usenet 92. Registrar Query 93. DNS Enumeration 96. Determine the Network Range 101. Traceroute 101. Identifying Active Machines 104. Finding Open Ports and Access Points 105. Nmap 112. SuperScan 115. THC-Amap 115. Scanrand 116. Hping 116. Port Knocking 117. War Dialers 117. War Driving 118. OS Fingerprinting 118. Active Fingerprinting Tools 120. Fingerprinting Services 122. Default Ports and Services 122. Finding Open Services 123. Mapping the Network Attack Surface 125. Manual Mapping 125. Automated Mapping 125.

7 Table of Contents vii Chapter Summary 127. Exam Preparation Tasks 127. Review All Key Topics 127. Define Key Terms 128. Command Reference to Check Your Memory 128. Exercises 129. Performing Passive Reconnaissance 129. Performing Active Reconnaissance 130. Review Questions 131. Suggested Reading and Resources 134. Chapter 4 Enumeration and System Hacking 137. Do I Know This Already? Quiz 137. Foundation Topics 140. Enumeration 140. Windows Enumeration 140. Windows Security 142. NetBIOS and LDAP Enumeration 143. NetBIOS Enumeration Tools 145. SNMP Enumeration 148. Linux/UNIX Enumeration 149. NTP Enumeration 150. SMTP Enumeration 150. DNS Enumeration 151. System Hacking 151. Nontechnical Password Attacks 151. Technical Password Attacks 152. Password Guessing 152. Automated Password Guessing 153. Password Sniffing 154. Keystroke Loggers 155. Privilege Escalation and Exploiting Vulnerabilities 155. Exploiting an Application 156. Exploiting a Buffer Overflow 156. Owning the Box 157. viii Certified Ethical Hacker (CEH) Cert Guide Authentication Types 158.

8 Cracking the Passwords 159. Hiding Files and Covering Tracks 162. File Hiding 163. Chapter Summary 165. Exam Preparation Tasks 165. Review All Key Topics 165. Define Key Terms 166. Command Reference to Check Your Memory 166. Exercise 166. NTFS File Streaming 166. Review Questions 167. Suggested Reading and Resources 171. Chapter 5 Linux and Automated Assessment Tools 173. Do I Know This Already? Quiz 173. Foundation Topics 176. Linux 176. Linux or Windows? Picking the Right Platform 176. Linux File Structure 177. Linux Basics 179. Passwords and the Shadow File 182. Linux Passwords 183. Compressing, Installing, and Compiling Linux 185. Hacking Linux 186. Reconnaissance 186. Scanning 186. Enumeration 188. Gaining Access 188. Privilege Escalation 190. Maintaining Access and Covering Tracks 191. Hardening Linux 194. Automated Assessment Tools 196. Automated Assessment Tools 196. Source Code Scanners 197. Table of Contents ix Application-Level Scanners 197. System-Level Scanners 198. Automated Exploit Tools 201.

9 Chapter Summary 203. Exam Preparation Tasks 204. Review All Key Topics 204. Define Key Terms 204. Command Reference to Check Your Memory 205. Exercises 205. Downloading and Running Backtrack 205. Using Backtrack to Perform a Port Scan 206. Creating a Virtual Machine 206. Cracking Passwords with John the Ripper 207. Review Questions 208. Suggested Reading and Resources 210. Chapter 6 Trojans and Backdoors 213. Do I Know This Already? Quiz 213. Foundation Topics 216. Trojans 216. Trojan Types 216. Trojan Ports and Communication Methods 217. Trojan Goals 219. Trojan Infection Mechanisms 219. Effects of Trojans 220. Trojan Tools 221. Distributing Trojans 225. Trojan Tool Kits 226. Covert Communication 227. Covert Communication Tools 231. Port Redirection 232. Other Redirection and Covert Tools 234. Keystroke Logging and Spyware 235. Hardware 236. Software 236. Spyware 237. x Certified Ethical Hacker (CEH) Cert Guide Trojan and Backdoor Countermeasures 238. Chapter Summary 240. Exam Preparation Tasks 241.

10 Review All Key Topics 241. Define Key Terms 242. Command Reference to Check Your Memory 242. Exercises 243. Finding Malicious Programs 243. Using a Scrap Document to Hide Malicious Code 244. Using Process Explorer 244. Review Questions 246. Suggested Reading and Resources 248. Chapter 7 Sniffers, Session Hijacking, and Denial of Service 251. Do I Know This Already? Quiz 251. Foundation Topics 254. Sniffers 254. Passive Sniffing 254. Active Sniffing 255. Address Resolution Protocol 255. ARP Poisoning and Flooding 256. Tools for Sniffing 260. Wireshark 260. Other Sniffing Tools 262. Sniffing and Spoofing Countermeasures 263. Session Hijacking 264. Transport Layer Hijacking 264. Predict the Sequence Number 265. Take One of the Parties Offline 267. Take Control of the Session 267. Application Layer Hijacking 267. Session Sniffing 267. Predictable Session Token ID 268. Man-in-the-Middle Attacks 268. Man-in-the-Browser Attacks 269. Table of Contents xi Client-Side Attacks 269. Session-Hijacking Tools 271.