1. TCP 445
    SMB (filesharing)
  2. TCP 514
  3. POP3 Port
  4. LDAP Port
  5. Discovered UDP 69 is open
    Unauthorized uploads and downloads
  6. Wireshark command to capture packets
  7. TCP 135
    • Endpoint Mapper
    • SMB
  8. chntpw
    (old) lets you boot machine from CD and set admin password
  9. /etc/shadow/
  10. /etc/passwd/
  11. Metasploit Pass-the-hash
  12. Crypto time memory trade off
    Rainbow Table
  13. MS Management
  14. Dimitri
    Used for EXIF data
  15. Dumper
    Used for USB attacks
  16. Resolve IP from name
    host -t a <domain>
  17. RDP Port
  18. nslookup parameter for server records
    set type=ns
  19. CVSS High
    7.0 - 8.9
  20. CVSS Medium
    4.0 - 6.9
  21. CVSS Low
    .01 - 3.9
  22. Vulnerability DB's
    • CVE
    • NVD
  23. CVSS Vulnerability Specific
  24. CVSS Threat Specific
  25. Fuzzer
    Sends random or sequential values to a webapp in hopes of crashing or compromising it
  26. Linux tool used for analyzing/parsing text and directory listings with regex to look for important words
  27. Tools for ripping passwords
    • Cain & Abel
    • John the Ripper
  28. SID 500
    Sys Admin
  29. Hybrid Password Attack
    Using a list of words and appending/prepending various characters to them to test as passwords
  30. Snow
    Uses spaces/tabs/carriage returns to hide information
  31. LANMAN Encryption
  32. NTLMv1 Encryption
  33. NTLMv2 Encryption
  34. KerbCrack
    Password cracking tool
  35. display all running services on a Windows computer
    sc query
  36. Rootkit objectives
    • Hide user/files/processes
    • Replace legitimate programs/functions
  37. Valid methods Linux uses to secure /etc/passwd file
    • MD5
    • DES
    • Blowfish
  38. Code inside of an application file
    Cavity Virus
  39. Can infect both boot sector and exe files
  40. Determine current bandwidth being used on a network
  41. Best defense against ransomware
  42. Putting files in a staging area and executing in a VM before being forwarded
    Heuristic Analysis
  43. Making your illegitimate website look legit so people believe it
    Watering Hole
  44. Software suite that is used by cybercriminals to attack/exploit victims
  45. Blackhole vs Metasploit
    Similar, but blackhole is more crime-oriented
  46. Cryptolocker
    Commonly-used ransomware
  47. Tool used to insert malware into good applications
  48. nc - l - p <port>
    • netcat commands
    • listen on specified port
  49. nc <ip> <port>
    • netcat command
    • forward packets to ip address on port specified
  50. Requires an OS to replicate, but doesn't spread from machine-machine automatically
  51. Means of access bypassing normal authorization
    • Trapdoor
    • (i.e. a backdoor for when admins lock themselves out)
  52. Tool used to determine which applications are using what ports
  53. netcat -u
    use UDP (instead of TCP)
  54. netcat -v
  55. netcat -w <number>
    wait x seconds
  56. lsof command
    • list open files
    • used in UNIX systems
    • shows processes and what opened them
  57. Wireshark returns details in
  58. Tools for intercepting transmissions and injecting data into them
    • Man In the Middle
    • (I.e. Ettercap)
  59. TCPDump
    • Protocol Sniffer
    • (Doesn't interact; is passive)
  60. Nmap
    • Network Mapper
    • Discovers hosts and services on a network
  61. ARP
    Sends a broadcast looking for a MAC address associated with an IP address
  62. Tool that can combine/manipulate multiple packet capture files
  63. Port Stealing
    causes switch to redirect frames intended for a server (or host) to a 3rd party
  64. What level does a sniffer operate on?
    Level 2 (Data Link)
  65. Tool for detecting wireless networks
    • Kismet
    • Operates on Layer 2
    • Is a net detector/sniffer/IDS
  66. Kismet vs NetStumbler
    • NetStumbler = Windows
    • Kismet = LINUX
  67. How to defend against ARP spoofing
    Port Security enabled on switch
  68. Smurf Attack
    • Forged packet sent to broadcast address and all hosts reply to one victim
    • Also known as "reflected"
  69. Fraggle Attack
    Smurf attack over UDP
  70. Radioactive tab
    Cain & Abel
    identifies suspicious ARP entry changes
  72. Removes use of OUR packets
    Static ARP entries
  73. SPAN port
    Allows to monitor switch ports by copying their frames
  74. tcp.flags==0x02
  75. tcp.flags==0x12
  76. tcp..ack==1 && tcp.len=0
  77. Using a switch and performing sniffing is considered
    • ACTIVE
    • (according to EC-Council)
  78. Wireshark command to display all data containing 'facebook'
    tcp contains facebook
  79. Used to extract portions of a trace captured with TCPdump
  80. This tool generates continuous streams of frames to flood a switch and cause it to broadcast traffic
  81. PCAP is the packet capture engine used for
    • TCPdump
    • Wireshark
    • Snort
  82. DNS poisoning object
    divert traffic traveling through DNS
  83. Snort
    Sniffer & IDS
  84. Wireshark
    Sniffer & Protocol Analyzer
  85. MITM attack tools
    • Dsniff
    • Ettercap
    • Caine & Abel
  86. Windows packet capture library
  87. Vishing
    Phishing with VoIP or automated systems
  88. E-mail based
    not an official aspect of social engineering
  89. SYN FLOOD is an example of
    • TCP state echaustion
    • (consumes all available TCP connections)
    • (this can also be considered DoS)
  90. Overlapping packets
    Fragmentation Attack
  91. Authentication method used by modems/frame relay/ISDN
  92. Client-Side Session Attacks
    • XSS
    • CSRF
  93. CSRF
    • Cross-Site Request Forgery
    • Taking advantage of someone else's session
  94. bank xfer.asp
  95. httponly
    • Flag on cookie that blocks JS from accessing the cookie
    • Prevents cookie-based session stealing
  96. TCP "session" hijacking occurs at the
    • Transport Layer
    • (This is an EC-Council thing)
  97. Access Cards
    Extensible Authentication Protocol (EAP)
  98. NMap parameter resulting in stealth
  99. -sS
    Nmap parameter that determines open/closed ports but does not complete handshake
  100. Type of scan used to get through packet filters
    IP Fragment
  101. Nmap -Pn
    • tells Nmap not to probe if a host is up; scan instead
    • Useful for evading IPS
  102. Nmap -A
    Detect OS and services
  103. Nmap -sV
    Service detection
  104. nmap -sU
    UDP Scan
  105. nmap -sT
    TCP connect scan
  106. nmap -sS
    TCP SYN scan
  107. Nmap -T0
    • literally "time 0"
    • high speed scanning; no stealth
  108. Tools to validate an IDS alert prior to escalating
    • TCPDump
    • Wireshark
  109. Cryptcat
    • Encrypted Netcat
    • Uses SSL
    • Reads/Writes data across a network
  110. Looks at packet headers only
    Packet Filter
  111. Circuit Level Gateway
    Inspects layer 1-4 information
  112. Inspects all layers
    Application-Level Firewall
  113. TCP-Over-DNS
    Allows for an encrypted tunnel that looks like a DNS exchange
  114. Dividing a payload into multiple packets and delivering over an extended period of time to bypass IDS
    Session Splicing
  115. Tripwire
    • File Integrity Checker
    • also a System Integrity Verifier
  116. Methods of evading an IDS
    • Fragmentation
    • Source Routing
    • Spoofed Source Address
  117. snort --> <ip> <port>
    refers to rules to destination ip and port
  118. Motivation for sending a TCP ACK flag
    Trick device into believing there is already an established handshake
  119. How can an IDS examine SSL/TLS traffic?
    Use an accelerator or proxy
  120. Block These to stop NetBIOS traffic
    • 135
    • 137
    • 139
    • 445
  121. IPTables
    • Linux application that can restrict inbound/outbound packets
    • Also performs stateful inspection
  122. TCP Port 21
  123. Good choices for tunneling
    • 53
    • ICMP
  124. Bash Bug/Shellshock
    Allows a remote attacker to see or change environment parameters & interact with file systems
  125. Basic Authentication is cleared
    when the browser is closed
  126. Shellshock attacks the
    • CGI
    • NOT the command shell!
  127. Nikto
    • Comprehensive pentesting tool
    • Checks security
    • Sends obfuscated messages
    • Tries to bypass access controls
  128. %2e%2e
    ".." in unicode/hex
  129. Nmap engine for interrogating a web server
  130. Vulnerability Assessment Tools
    • Accutentix
    • NetSparker
    • Vega
  131. Metasploit is a ____ tool
    • exploitation
    • NOT vulnerability assessment
  132. Tools for banner grabbing
    • Netcat
    • Telnet
  133. Use metasploit as a pivot point
  134. Union-based SQL Injection
    Special commands to overlay data on pages or to call up internal variables from the SQL server
  135. Static Analysis
    Reading source code and discerning vulnerabilities in it
  136. Vulnerability Scanners that perform static analysis
    • HP WebInspect
    • IBM AppScan
  137. xp_cmdshell
    MS SQL Server option that allows users to shell into remote servers running webapps
  138. 'waitfor delay'
    Blind SQL Injection
  139. 802.16 Max Range
    30 mi
  140. 3-30MHz
  141. Steal 802.11 messages that are using WEP-PSK
  142. Unsolicited bluetooth messages
  143. 2007 TJ Maxx intrusion due to vulnerability in
  144. Blueprinting
    NOT a real BT attack
  145. Kismet
    • Runs on Linux
    • Operates at Layer 2
    • Used to discover wireless networks
  146. Intercept frames needed to crack wireless protocols using
  147. WPA2 Encryption
    AES-CCMP 128-bit
  148. WEP IV size
    24 bits
  149. Pre-Shared Key
    Think of Symmetric Key
  150. Problems with WEP
    • Small IV (24-bit)
    • Key Management
    • Design Flaws
  151. WEP Encryption Algorithm
  152. Connecting to an AP with SSID broadcast disabled
    SSID is inside AP and endpoint packets
  153. SSID also acts as kind of a
    • password for the network
    • (according to EC-Council)
  154. Jailbreak after booting
    Userland jailbreak
  155. Not a risk typically associated with BYOD
    CPU Overrun
  156. Not a valid element of MDM
    Providing secure device disposal
  157. Tool used to attack blackberry phones
  158. Synonymous with SCADA
    • IDC
    • (Industrial Controls)
  159. Blueborne attacks
    • Exploit weakness in BT protocol
    • Not specific to a particular OS or application
  160. SCADA ports
    • Are not agreed upon
    • Scan them all
    • Scan TCP & UDP
  161. Rolling Code
    Attack on a car
  162. LANMAN encryption
  163. NTLMv1 Encryption
  164. NTLMv2 Encryption
  165. LANMAN characteristics
    • Forces all lowercase to uppercase
    • Only processes first 14 characters, truncates rest
  166. PaaS
    Provide a gen purpose OS, which is configured and managed
  167. IaaS
    Datacenter in the cloud
  168. Hybrid Cloud
    Combination of Public & Private Cloud
  169. Elliptic Curves
  170. Factoring Large Prime Numbers
  171. Famous attack on OpenSSL
  172. IPSec operates at the ___ layer
    • 3
    • (Network)
  173. SHA-1 message digets
    160 bits
  174. SHA-2 message digest
    224/256 bits
  175. IPSec feature for confidentiality
    ESP header
  176. PGP, SSL, SSH all employ
    Public Key
  177. IPSec is a ___ protocol
  178. Creating 2 different files that have the same hash
  179. This component of IPSec negotiates keys and encryption
  180. Attack for decrypting data between browser and server (side channel)
  181. Hashing algorithms that check integrity
    • MD5
    • SHA
  182. Password-Cracking Tools
    • John The Ripper
    • KerbCrack
    • Cain & Abel
  183. Characteristics of PKI
    • PKI facilitates distribution of known pub keys
    • Public Key encryption is slowed
    • Digital Signatures use PKI
  184. When users enroll in PKI, ____ verifies identity of the individual
    Registration Authority
  185. Best for bulk encrypting data
  186. Developed primarily for e-mail to provide digital signatures using asymmetric encryption
  187. Passive Tools used to reveal info about a network
    • TCPDump
    • Wireshark
  188. You tried to ping a site you know is up, but got nothing back
    • They have ACL
    • They have filtering enabled
  189. ____ is NOT a method of dealing with risk
  190. resolving IP addresses from names (dns)
    host -t a cnn.com
  191. resolving DNS server names (dns)
    host -t ns cnn.com
  192. Proxy capable of alerting messages, inspecting them, and recording the responses
    (attacking web apps)
    • Burp
    • NetScarab
  193. Defines who or what may be tested
  194. Enumerating a Windows System
  195. Loading a script that spawns instances of itself
    Application Layer Attack
  196. Having two tabs open and one attacks info from the other
  197. Server brute force tools
    • Brutus
    • Hydra
  198. SQL injection attack that overlays data on your page
  199. Not a real BYOD risk
    CPU Overrun
  200. ICMP Type 0 Message
    Echo Reply
  201. Hacking Cycle:
    Executing Applications -> ___________
    Hiding Files
  202. Nmap/Ping Suite protocols
    • ICMP
    • TCP ACK -> Port 80
  203. User data being passed an interpreter as code
  204. Even that may result in harm or loss
  205. Using Nmap: You scan and find little to no response. What now?
  206. Objective of Cross Site Scripting
    Take over user identity
Card Set
CEH prep