Certified Ethical Hacker Certification - CEH v10.

ARP poisoning - ARP poisoning refers to flooding the target machine's ARP cache with forged entries. Grey box testing - A combination of black box and white box testing that gives a full inspection of the system, simulating both outside and inside attacks NTP Enumeration - NTP stands for Network Time Protocol and its role is to ensure that the networked computer clocks are synchronized. NTP enumeration provides hackers with information about the hosts that are connected to NTP server as well as IP addresses, system names, and operating systems of the clients. Active online attacks - Active online attacks require the attacker to communicate with the target machine in order to crack the password. Static malware analysis - Static analysis refers to analyzing malware without running or installing it. The malware's binary code is examined to determine if there are any data structures or function calls that have malicious behavior. Access control - Access control attack is someone tries to penetrate a wireless network by avoiding access control measures, such as Access Point MAC filters or Wi-Fi port access control. Password guessing attack steps - Find the target's username Create a password list Sort the passwords by the probability Try each password Sniffer - Packet sniffing programs are called sniffers and they are designed to capture packets that contain information such as passwords, router configuration, traffic, and more. Data backup strategy steps - Identify important data Choose the appropriate backup media Choose the appropriate backup technology Choose the appropriate RAID levels Choose the appropriate backup method Choose the appropriate location Choose the backup type Choose the appropriate backup solution Perform a recovery test WPA2-Personal - WPA2-Personal encryption uses a pre-shared key (PSK) to protect the network access. Threat modeling - Threat modeling is an assessment approach in which the security of an application is analyzed. It helps in identifying threats that are relevant to the application, discovering application vulnerabilities, and improve the security. Administrative security policies - Administrative policies define the behaviour of employees. Doxing - Doxing is revealing and publishing personal information about someone. It involves gathering private and valuable information about a person or organization and then misusing that information for different reasons. Recovery controls - Recovery controls are used after a violation has happened and system needs to be restored to its persistent state. These may include backup systems or disaster recovery. Confidentiality attack - Confidentiality attack is where an attacker attempts to intercept confidential information transmitted over the network. Proprietary Methodologies - Proprietary methodologies are usually devised by the security companies who offer pentesting services and as such are kept confidential. Examples of proprietary methodologies include: -IBM -McAfee Foundstone -EC-Council LPT Five stages of hacking - Reconnaissance Scanning Gaining access Maintaining access Clearing tracks Script kiddies - Script kiddies are hackers who are new to hacking and don't have much knowledge or skills to perform hacks. Instead, they use tools and scripts developed by more experienced hackers. Application keylogger - Application keylogger is designed to observe the target's activity whenever they type something. It can record emails, passwords, messages, browsing activities, and more. Ethical hacking guidelines - No test should be performed without an appropriate permission and authorization Keep the test results confidential (usually an NDA is signed) Perform only those tests that the client had previously agreed upon CVSS - The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. Man-in-the-middle attack - Man-in-the-middle attack is when an attacker gains access to the communication channel between a target and server. The attacker is then able to extract the information and data they need to gain unauthorized access. Breaking WPA/WPA2 Encryption: Brute-force WPA Keys - Brute-Force WPA Keys is a technique in which the attacker uses dictionary or cracking tools to break WPA encryption keys. This attack takes a lot of time to break the key. Web application threats - Attacks that take advantage of poorly written code and lack of proper validation on input and output data. Some of these attacks include SQL injection and cross-site scripting. Out-of-band SQL injection - Out-of-band SQL injection is an injection attack in which the attacker uses more channels to inject malicious queries and retrieve results. Management zone - This is a secured zone which enforces strict policies and limits access to a few authorized users. List scanning - List scanning indirectly discovers hosts. This scan works by listing out IP addresses and names without pinging the hosts and with performing a reverse DNS resolution to identify the names of the hosts. Types of penetration testing - Black box testing Grey box testing White box testing Social engineering types - Human-based social engineering Computer-based social engineering Mobile-based social engineering Passive type - The hacker does not interact with the target. Instead, they rely on information that is publicly available. Website defacement attack - Website defacement attack is an attack in which the attacker makes changes to the target website's content. White hat - White hats are ethical hackers who use their knowledge and skills to improve security of a system by discovering vulnerabilities before black hats do. They use the same methods and tools black hats do, but unlike black hats, white hats have permission from the system owner to use those methods. Website mirroring (cloning) - Website mirroring or website cloning refers to the process of duplicating a website. Mirroring a website helps in browsing the site offline, searching the website for vulnerabilities, and discovering valuable information. incident management - Incident management refers to the process of identifying, analyzing, prioritizing, and solving security incidents. The goal is not only to restore the system back to normal, but also prevent any potential risks and threats by triggering alerts. Information that is being collected can include: - Physical and logical locations Analog connections Contact information Information about other organizations Computer-based social engineering - Computer-based social engineering involves using computers and information systems for collecting sensitive and important information. Attack on sensitive information - Refers to hackers breaking into clouds and stealing information about other users. Such information usually includes credit card numbers and other financial data. Authentication attack - Authentication attack is an attack in which the attacker attempts to steal the identity of a user and gain access to the network. Website footprinting - Website footprinting is a technique in which information about the target is collected by monitoring the target's website. Hackers can map the entire website of the target without being noticed. Device enumeration sheet - ID of the device Description Hostname Physical location IP and MAC address Botnets - Bots are malicious programs used by hackers to control the machines they've infected. Hackers use bots to perform malicious activities from the machines on which bots run. They can use bots to infect multiple machines, creating a botnet which they can then use for distributed denial of service attacks. IDS - Intrusion Detection System (IDS) refers to software or hardware designed to monitor, detect, and protect networks and systems from attacks. It does it by inspecting incoming and outgoing traffic and looking for suspicious activities and signatures. Cracking passwords categories - Password cracking has four categories which are based on the attack used: Non-electronic attacks Active online attacks Passive online attacks Offline attacks SQL Injection - An attack in which the attacker injects malicious SQL queries into the application. In this attack, the attacker targets vulnerable applications and attempts to either gain unauthorized access, or retrieve data stored in the database Symmetric encryption - Symmetric encryption uses one key to encrypt and decrypt the information that is sent/received Device driver keylogger - Device driver keylogger is designed to replace the driver that has the keylogging functionality, logs the keystrokes, and send the file to a remote location ARP Spoofing - An attack in which the attacker forges ARP request and reply packets, then sends a huge number of them to overload a switch. ARP does not verify the device authenticity, so the machine that sent a request simply assumes the reply came from the right device. Attackers use this flaw to sniff the network and create a forged ARP reply which is accepted by the machine that sent the request. The attacker then floods the victim's ARP table and sets the switch in forwarding mode. This enables the attacker to sniff the network traffic Security policies types - Technical policies Administrative policies TCP Connect - Scan used for detecting open ports upon the completion of the three- way handshake. It works by establishing a full connection and then dropping it by sending a RST packet. Types of black box testing - Blind testing - the tester has little to no information about the target, while the target knows that the test is happening. This type of testing demonstrates what a real attacker would do to collect information about the target. Double blind testing - the tester knows nothing about the target, and the target does not know the test details. Scanning techniques - Scanning techniques fall into three categories: Scanning ICMP network services Scanning TCP network services Scanning UDP network services Honeypot - A trap for attackers who try to access the network. It is set up in such a way that any traffic to it is considered to be a probe or an attack. So, any interaction with a honeypot points to a malicious activity. Active vulnerability scanning - Active vulnerability scanning refers to interacting directly with the target network to discover vulnerabilities. Shared Key Authentication Process - Shared Key Authentication (SKA) process refers to a process of accessing a Wi-Fi network which uses WEP protocol and a shared secret key. A client sends an authentication request to the access point (AP). The AP responds with a challenge text. The client uses its WEP key to encrypt the challenge text and sends the encrypted text back to the AP. The AP decrypts the text and compares the decrypted text with the original one. If they match, the AP sends the authentication code to the client. The client accepts the authentication code and connects to the network. ARP - Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses. This protocol can be used for obtaining MAC addresses of devices on the network. When two devices want to communicate, they look up the ARP table which contains the MAC addresses of all devices on the network. If the device cannot be found, a query is broadcasted over the network looking for the MAC address of the device. If that device exists on the network, it will respond with its MAC address which is then stored in the ARP table. Discretionary Access Control (DAC) - Access to files is given to users and groups based on the identity of the user and group membership. DAC allows users who have the access to files, to decide themselves how they will protect and share the files. Role Based Access Control (RBAC) - Access is given for a particular file or system, giving the users all the necessary privileges needed to perform their duties. Ways of performing penetration testing - Announced testing Unannounced testing Types of honeypots - Low-interaction honeypots Medium-interaction honeypots High-interaction honeypots Production honeypots Research honeypots Trojan - A program which contains malicious code and has the ability to cause damage to the target system. They are contained inside seemingly harmless programs and activated when such programs are executed. Trojans are bound with other programs with the help of wrappers. When a wrapped application is executed, the trojan is first installed, and then the wrapped application is run. The objectives of system hacking - The objectives of system hacking are to: Gain access to the target system Escalate privileges Execute applications Hide files Cover tracks Shoulder surfing - Shoulder surfing refers to observing the target while they type in their passwords, that is, looking at their keyboard or screen. Techniques used in scanning beyond IDS and Firewall - Scanning beyond IDS and firewall is possible by using the following techniques: Packet fragmentation Source routing IP address decoy IP address spoofing Proxy server Sarbanes Oxley Act - Describes what records organizations must keep and for how long, protecting investors and the public by increasing the accuracy and reliability of corporate disclosures . The act contains 11 titles: Public company accounting oversight board Auditor independence Corporate responsibility Enhanced financial disclosures Analyst conflicts of interest Commission resources and authority Studies and reports Corporate and criminal fraud accountability White-collar-crime penalty enhancement Corporate tax returns Corporate fraud accountability LDAP Enumeration - LDAP stands for Lightweight Directory Access Protocol. This protocol has access to directory services. Querying LDAP may return information about usernames, addresses, servers, and other sensitive information which can help the attacker perform an attack. Application threats types - SQL injection Cross-site scripting Session hijacking Identity spoofing Improper input validation Security misconfiguration Information disclosure Hidden-field manipulation Broken session management Cryptography attacks Buffer overflow issue Phishing Zero day attack - Zero-day refers to a vulnerability in software or hardware that is unknown to the vendor. Exploiting previously unknown vulnerabilities for which a patch has not been released is called a zero-day attack. Attack classifications - Operating system attacks, misconfiguration attacks, application- level attacks, and shrink-wrap code attacks. Hardware keylogger - Hardware keyloggers are devices that look like USB drives and are designed to record keystrokes, which are stored on the device. They are placed between a keyboard plug and USB socket and cannot be detected by antispyware or antivirus programs. However, they have to be physically placed onto a target machine, making them discoverable. Ping Sweep - Ping sweep is used to determine the range of IP addresses that is mapped to active devices. It allows hackers to calculate subnet masks and identify the number of present hosts in the subnet. This in turn enables them to create an inventory of active devices. XML External Entity attack - An attack in which the attacker takes advantage of a poorly configured XML parser, causing the application to parse XML input coming from an untrusted source Software keylogger types - Application keylogger Kernel/Rootkit/Device driver keylogger Hypervisor-based keylogger Form grabbing-based keylogger Rules of Engagement (ROE) - The formal agreement and permission to perform a penetration test. ROE is a guideline for testers and as such should clearly state what is and isn't allowed. The ROE specifies which IP addresses should be tested, hosts that are not to be tested, testing techniques that can be used, time frame when the test can take place, and similar information. Pre-attack phase - Includes activities such as preparation and planning, and information gathering. The objective is to gather as much information about the target as possible. Reconnaissance - The initial phase in which a hacker performs certain preparations for the attack. This includes information gathering and learning about the target as much as possible. Exploit - Exploit is a piece of code which takes advantage of the identified vulnerability to deliver the malicious code. Sensitive data exposure - Sensitive data exposure threats occur in applications that use weak encryption code for data encryption and storage. This vulnerability enables attackers to easily crack the encryption and steal the data Advanced persistent threats - Refers to stealing information without the target being aware of the attack. The goal of this attack is to steal as much information as possible as well as stay undetected for as long as possible. Whois - Whois refers to a query and response protocol which is used for retrieving information about assigned Internet resources. Whois databases contain domain owners' personal information and are maintained by the Regional Internet Registries. Google hacking - Google hacking is a technique which attackers use to perform a complex search and extract important information about their targets. It involves using a set of search operators and building complex queries. Replay attack - Replay attack involves using a sniffer to capture packets and authentication tokens. Once the relevant data is extracted, the tokens are placed back on the network in an attempt to gain unauthorized access. Common network threats - Denial of Service attacks Password-based attacks Compromised-key attacks Firewall and IDS attacks DNS and ARP poisoning Man in the middle attack Spoofing Session hijacking Information gathering Sniffing Stealing information from other cloud users - Refers to internal threats where employees with bad intentions copy information onto a storage device Enterprise directory services - Enterprise directory services include data synchronization, meta directory, virtual directory, and other services that manage user identity information. Rootkit - Rootkit is a program designed to help the attacker gain access to a system without being detected. It is designed to replace certain system calls and utilities allowing for malicious activities to be performed. Rootkits create a backdoor to the system and thus enable the attacker to access the system and perform malicious activities. Common attack vectors - Common attack vectors are: Cloud Computing Threats Advanced Persistent Threats Viruses and Worms Ransomware Mobile Threats Botnets Insider attacks Phishing Web Application Threats IoT Threats Internet DMZ zone - This is a controlled zone, also known as demilitarized zone, which provides a barrier between the external and internal network. The DMZ uses firewalls to control the traffic coming from and to the Internet, as well as internal networks. Network scanning - Network scanning refers to the process of obtaining additional information and performing a more detailed reconnaissance based on the collected information in the footprinting phase. NVD - NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics. Purpose of penetration testing - Identify threats Reduce security expenses Provide complete security assessment Maintain industry standards and regulations Follow best practices Test security controls Improve current security infrastructure Pay particular attention to severe vulnerabilities Prepare steps for preventing exploitations Test network security devices Wireless Hacking Methodology Steps - The steps of the wireless hacking methodology are: Discover potential Wi-Fi networks and find the Wi-Fi network to attack Create a map and database of discovered networks Analyze the traffic on the discovered wireless network and find vulnerabilities Launch an attack Break the security of the network Compromise the network Privilege escalation - Escalating privileges refers to taking advantage of the operating system and software vulnerabilities which enable the attacker to gain admin privileges. Becoming an admin on the target system allows the attacker to perform all sorts of malicious activities. Cyber terrorists - Cyber terrorists are hackers who are influenced by certain religious or political beliefs. They work to cause fear and disruption of systems and networks. Information warfare classification - Command and control warfare Intelligence-based warfare Electronic warfare Psychological warfare Hacker warfare Economic warfare Cyber warfare Fragmentation attack - An attack in which the attacker sends a huge number of TCP or UDP fragmented packets with a small packet rate - the target system is forced to exhaust its resources while reassembling the packets, thus causing it to crash Five major elements that should be considered when talking about information security: - Confidentiality, Integrity, Availability, Authenticity, Non-repudiation HTTP Response Splitting attack - HTTP Response Splitting attack is an attack in which the attacker injects new lines into response headers, making the server split one response into two. The attacker is then able to control the first response coming from the server and redirect the client to a malicious website. Security Incident and Event Management system (SIEM) - Security Incident and Event Management system (SIEM) is responsible for identifying, monitoring, recording, inspecting, and analyzing security incidents, performing threat detection and incident response activities, and real time tracking of suspicious activities. The objective of SIEM is to protect the organization and its assets from threats and attacks. Malware analysis - Malware analysis refers to a process of reverse engineering a malware program. The purpose of the analysis is to determine how the malware works and assess the potential damage it could cause. Wireless Hacking Methodology - A wireless hacking methodology provides steps needed for successfully breaking into a wireless network. The objective is to compromise a Wi-Fi network and gain unauthorized access to its resources. Rule-based attack - Rule-based attack is used when an attacker has some information about a password, such as the length, if there are any digits, and so forth. In this attack, the attacker combines several other attacks to crack the password. Some of the attacks used can include brute force, dictionary, and syllable attack. WPA2-Enterprise - WPA2-Enterprise uses Extensible Authentication Protocol (EAP) and RADIUS authentication. IP Geolocation - IP Geolocation helps find location information about a target such as country, city, postal code, ISP, etc. With this information, hackers can perform social engineering attacks on the target. Hypervisor-based keylogger - Hypervisor-based keylogger is designed to work within a malware hypervisor that is operating on the OS. Bot - Bots are malicious programs used by hackers to control the infected machines. Once the machine is infected, hackers can use that bot to control the computer and perform attacks on other computers. Detective controls - These detect violations in security as well as any attempts of intrusion. These could be alarm systems, sensors, video surveillance, or motion detectors. Insecure deserialization - Insecure deserialization refers to a vulnerability which attackers exploit by injecting malicious code into serialized data, which is then sent to the target. Because of the insecure deserialization vulnerability, the malicious serialized data is deserialized without the malicious code being detected, which allows the attacker to gain unauthorized access to the system . MAC Spoofing - MAC spoofing is an attack in which the attacker sniffs the network for MAC addresses of legitimate users and then spoofs one of those addresses. Then, the attacker receives the traffic intended for that user. This way, the attacker gains access to the network. Post-attack phase - In this phase, the tester restores the system to the pretest state. The tester should also report where the security flaws are as well as document all activities and results. Some of the activities performed in this phase include deleting files that were uploaded onto the system, removing created vulnerabilities and exploits, and mapping the network state. Digital Millennium Copyright Act (DMCA) - The DMCA is a copyright law in the United States of America which implements the WIPO (World Intellectual Property Organization) Copyright Treaty and WIPO Performances and Phonograms Treaty. The act contains five titles: WIPO Treaty Implementation Online Copyright Infringement Liability Limitation Computer maintenance or repair Miscellaneous provisions Protection of certain original designs UDP scanning - UDP scanning uses UDP protocol to test whether the port is open or closed. In this scan there is no flag manipulation. Instead, ICMP is used to determine if the port is open or not. So, if a packet is sent to a port and the ICMP port unreachable packet is returned, then that means that the port is closed. If, however, there is no response, then the port is open. Physical security helps with what? - - Preventing unauthorized access to the system - Preventing any kind of data manipulation and theft - Protecting the system against malicious activities such as espionage, damage, and theft - Protecting employees and preventing social engineering attacks Source routing attack - This is an attack in which the attacker hijacks a TCP session, creates forged packets, injects the packets into the session, and then specifies the route which the packets will take from the source to the destination server. The source IP address belongs to the trusted client, thus ensuring that the server accepts the attacker's packets. Passive sniffing - Passive sniffing is used in networks which use hubs to connect systems. Such networks allow their hosts to see all the traffic passing through the network, which makes it easy for attackers to capture that traffic. Passive sniffing does not require any packets to be sent. Instead, the packets coming into the network are monitored and captured. Passive vulnerability scanning - Passive vulnerability scanning refers to discovering vulnerabilities without a direct interaction with the target network. Integrity attack - Integrity attack is an attack in which the attacker sends forged frames over the wireless network in an attempt to perform a different attack. Spectre vulnerability - Spectre vulnerability affects modern microprocessors and allows attackers to obtain sensitive information by tricking a program into accessing the program's memory space. This allows attackers to read kernel memory or use JavaScript to launch a web-based attack. Sniffing types - Sniffing can be: Passive sniffing Active sniffing Penetration testing - Penetration testing refers to the simulation of a security attack in which the objective is to discover vulnerabilities and evaluate the security of the system that is being tested. Penetration testing performs a detailed analysis of the organization's information security in terms of weaknesses in design, technical flaws, and vulnerabilities. DNS server hijacking attack - DNS server hijacking attack is an attack in which the attacker targets a DNS server and tempers with its mapping settings, making it redirect clients to the attacker's rogue server which serves the attacker's malicious website. Access Control - Access control refers to the restrictions placed upon the system or network. These restrictions determine who has access to a resource and who does not. By placing these restrictions, the organization protects its information assets. Enterprise Information Security Architecure (EISA) - Enterprise information security architecture (EISA) refers to a group of requirements, processes, principles, and models that regulate the organization's structure and behavior in terms of system security, processes, and employees. Vulnerability - Vulnerability is a weakness which can compromise the system and be used for a possible attack. Identity Access Management (IAM) - Identity access management is a framework which makes sure that the right users have access to the right resources at the right time. The framework includes users, procedures, and software that manage users' access to the organization's resources. NAT - Network Address Translation or NAT enables LAN to use one set of IP addresses for external traffic, and one set for internal traffic. NAT modifies the packet's IP header and translates one address space into another, thus hiding the layout of the internal network. Three important components of every system: - Functionality, usability, and security Software keylogger - Software keyloggers are programs installed on the target's machine. Recorded keystrokes are logged into a log file on the target's machine which is then sent to the attacker using email protocols. Network zones - Internet zone Internet DMZ zone Production zone Intranet zone Management zone Cross-Site Scripting attack - Cross-Site Scripting attack is an attack in which the attacker injects scripts into web pages which are executed on the target's system. Thin whois - Thin whois contains limited information about the specified set of data. Wire sniffing - Wire sniffing is an attack in which attackers sniff credentials by capturing packets that are being transmitted. During the packet transmission, attackers are able to capture packets and extract sensitive information such as passwords and emails. With this info, they can gain access to the target system. Clearing tracks - in this final phase, hackers attempt to hide their activities on the system. This is done in order to maintain the access to the system but remain unnoticed in the process. They do everything they can to cover their tracks and thus avoid getting caught and legally prosecuted. DNS Footprinting - DNS footprinting refers to collecting information about DNS zone data, which includes information about key hosts in the network. DNS interrogation tools help attackers to perform DNS footprinting. Using these tools, attackers are able to obtain information about server types and their locations. DoS attack - Denial of Service or DoS attack is an attack in which the attacker overloads the target system with fake requests or traffic, resulting in the server being unable to function properly. The objective of a DoS attack is to render the target system useless and prevent users from accessing its resources Man-in-the-Browser attack - Man-in-the-Browser attack is an attack in which the attacker uses a trojan to infect the target's browser. The attacker is then able to intercept and manipulate the communication between the browser and the destination server. Attackers often use MITB to target financial transactions. WEP - WEP, Wired Equivalent Privacy, is a security protocol which provides security and privacy on wireless networks. It encrypts data using RC4 encryption algorithm. It also relies on a 24-bit initialization vector and a 40-bit or 104-bit key that form 64-bit or 128-bit secret keys when they're combined. These are shared between a client and AP. The secret key is used for encryption and decryption of the data. CRC-32 checksum is used for integrity checks of the packets in transit. The problem with WEP is the initialization vector which at some point begins repeating itself, and thus makes it easy for attackers to discover the shared secret key. Main modules in Identity Access Management - Access Management Module refers to the authentication and authorization components of IAM. Identity Management Module refers to the management of users and enterprise directory service components of IAM. These are things like monitoring, recording, and logging the user activities on the network. XSS attack - Cross-Site Scripting, or an XSS attack, is where an attacker injects scripts into web pages that are executed on the target's system. Attackers use this attack to obtain the target's session ID. Compensating controls - Compensating controls do not prevent attacks. Instead, they are used when everything else fails. In this type of control, the goal is to restore everything back to normal. Security attack (cyber attack) - Refers to an attempt to gain unauthorized access to a system or network Techniques used in covering tracks - Disabling auditing: disabling auditing features of the system Clearing logs: deleting the attacker's logged activities Manipulating logs: changing the logs to prevent detection Federal Information Security Management Act - FISMA protects government information, operations, and assets against various threats. DDoS attack - Distributed Denial of Service, or DDoS, attack is when an attacker uses botnets to perform a DoS attack. The objective is to first compromise as many systems as possible and then use those systems to launch a DoS attack on their target. Session hijacking - Session hijacking is an attack in which the attacker targets a session between two machines in order to gain access to the target machine. In this attack, the attacker exploits the vulnerabilities existing in the mechanisms that generate session tokens. By guessing or stealing a valid session token, attackers are able