Certified Ethical Hacker Certification - CEH v10.

Certified Ethical Hacker Certification - CEH v10. ARP poisoning - ARP poisoning refers to flooding the target machine's ARP cache with forged entries. Grey box testing - A combination of black box and white box testing that gives a full inspection of the system, simulating both outside and inside attacks NTP Enumeration - NTP stands for Network Time Protocol and its role is to ensure that the networked computer clocks are synchronized. NTP enumeration provides hackers with information about the hosts that are connected to NTP server as well as IP addresses, system names, and operating systems of the clients. Active online attacks - Active online attacks require the attacker to communicate with the target machine in order to crack the password. Static malware analysis - Static analysis refers to analyzing malware without running or installing it. The malware's binary code is examined to determine if there are any data structures or function calls that have malicious behavior. Access control - Access control attack is someone tries to penetrate a wireless network by avoiding access control measures, such as Access Point MAC filters or Wi-Fi port access control. Password guessing attack steps - Find the target's username Create a password list Sort the passwords by the probability Try each password Sniffer - Packet sniffing programs are called sniffers and they are designed to capture packets that contain information such as passwords, router configuration, traffic, and more. Data backup strategy steps - Identify important data Choose the appropriate backup media Choose the appropriate backup technology Choose the appropriate RAID levels Choose the appropriate backup method Choose the appropriate location Choose the backup type Choose the appropriate backup solution Perform a recovery test WPA2-Personal - WPA2-Personal encryption uses a pre-shared key (PSK) to protect the network access. Threat modeling - Threat modeling is an assessment approach in which the security of an application is analyzed. It helps in identifying threats that are relevant to the application, discovering application vulnerabilities, and improve the security. Administrative security policies - Administrative policies define the behaviour of employees. Doxing - Doxing is revealing and publishing personal information about someone. It involves gathering private and valuable information about a person or organization and then misusing that information for different reasons. Recovery controls - Recovery controls are used after a violation has happened and system needs to be restored to its persistent state. These may include backup systems or disaster recovery. Confidentiality attack - Confidentiality attack is where an attacker attempts to intercept confidential information transmitted over the network. Proprietary Methodologies - Proprietary methodologies are usually devised by the security companies who offer pentesting services and as such are kept confidential. Examples of proprietary methodologies include: -IBM -McAfee Foundstone -EC-Council LPT Five stages of hacking - Reconnaissance Scanning Gaining access Maintaining access Clearing tracks Script kiddies - Script kiddies are hackers who are new to hacking and don't have much knowledge or skills to perform hacks. Instead, they use tools and scripts developed by more experienced hackers. Application keylogger - Application keylogger is designed to observe the target's activity whenever they type something. It can record emails, passwords, messages, browsing activities, and more. Ethical hacking guidelines - No test should be performed without an appropriate permission and authorization Keep the test results confidential (usually an NDA is signed) Perform only those tests that the client had previously agreed upon CVSS - The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. Man-in-the-middle attack - Man-in-the-middle attack is when an attacker gains access to the communication channel between a target and server. The attacker is then able to extract the information and data they need to gain unauthorized access. Breaking WPA/WPA2 Encryption: Brute-force WPA Keys - Brute-Force WPA Keys is a technique in which the attacker uses dictionary or cracking tools to break WPA encryption keys. This attack takes a lot of time to break the key. Web application threats - Attacks that take advantage of poorly written code and lack of proper validation on input and output data. Some of these attacks include SQL injection and cross-site scripting. Out-of-band SQL injection - Out-of-band SQL injection is an injection attack in which the attacker uses more channels to inject malicious queries and retrieve results. Management zone - This is a secured zone which enforces strict policies and limits access to a few authorized users. List scanning - List scanning indirectly discovers hosts. This scan works by listing out IP addresses and names without pinging the hosts and with performing a reverse DNS resolution to identify the names of the hosts. Types of penetration testing - Black box testing Grey box testing White box testing Social engineering types - Human-based social engineering Computer-based social engineering Mobile-based social engineering Passive type - The hacker does not interact with the target. Instead, they rely on information that is publicly available. Website defacement attack - Website defacement attack is an attack in which the attacker makes changes to the target website's content. White hat - White hats are ethical hackers who use their knowledge and skills to improve security of a system by discovering vulnerabilities before black hats do. They use the same methods and tools black hats do, but unlike black hats, white hats have permission from the system owner to use those methods. Website mirroring (cloning) - Website mirroring or website cloning refers to the process of duplicating a website. Mirroring a website helps in browsing the site offline, searching the website for vulnerabilities, and discovering valuable information. incident management - Incident management refers to the process of identifying, analyzing, prioritizing, and solving security incidents. The goal is not only to restore the system back to normal, but also prevent any potential risks and threats by triggering alerts. Information that is being collected can include: - Physical and logical locations Analog connections Contact information Information about other organizations Computer-based social engineering - Computer-based social engineering involves using computers and information systems for collecting sensitive and important information. Attack on sensitive information - Refers to hackers breaking into clouds and stealing information about other users. Such information usually includes credit card numbers and other financial data. Authentication attack - Authentication attack is an attack in which the attacker attempts to steal the identity of a user and gain access to the network. Website footprinting - Website footprinting is a technique in which information about the target is collected by monitoring the target's website. Hackers can map the entire website of the target without being noticed. Device enumeration sheet - ID of the device Description Hostname Physical location IP and MAC address Botnets - Bots are malicious programs used by hackers to control the machines they've infected. Hackers use bots to perform malicious activities from the machines on which bots run. They can use bots to infect multiple machines, creating a botnet which they can then use for distributed denial of service attacks. IDS - Intrusion Detection System (IDS) refers to software or hardware designed to monitor, detect, and protect networks and systems from attacks. It does it by inspecting incoming and outgoing traffic and looking for suspicious activities and signatures. Cracking passwords categories - Password cracking has four categories which are based on the attack used: Non-electronic attacks Active online attacks Passive online attacks Offline attacks SQL Injection - An attack in which the attacker injects malicious SQL queries into the application. In this attack, the attacker targets vulnerable applications and attempts to either gain unauthorized access, or retrieve data stored in the database Symmetric encryption - Symmetric encryption uses one key to encrypt and decrypt the information that is sent/received Device driver keylogger - Device driver keylogger is designed to replace the driver that has the keylogging functionality, logs the keystrokes, and send the file to a remote location ARP Spoofing - An attack in which the attacker forges ARP request and reply packets, then sends a huge number of them to overload a switch. ARP does not verify the device authenticity, so the machine that sent a request simply assumes the reply came from the right device. Attackers use this flaw to sniff the network and create a forged ARP reply which is accepted by the machine that sent the request. The attacker then floods the victim's ARP table and sets the switch in forwarding mode. This enables the attacker to sniff the network traffic Security policies types - Technical policies Administrative policies TCP Connect - Scan used for detecting open ports upon the completion of the three-way handshake. It works by establishing a full connection and then dropping it by sending a RST packet. Types of black box testing - Blind testing - the tester has little to no information about the target, while the target knows that the test is happening. This type of testing demonstrates what a real attacker would do to collect information about the target. Double blind testing - the tester knows nothing about the target, and the target does not know the test details. Scanning techniques - Scanning techniques fall into three categories: Scanning ICMP network services Scanning TCP network services Scanning UDP network services Honeypot - A trap for attackers who try to access the network. It is set up in such a way that any traffic to it is considered to be a probe or an attack. So, any interaction with a honeypot points to a malicious activity. Active vulnerability scanning - Active vulnerability scanning refers to interacting directly with the target network to discover vulnerabilities. Shared Key Authentication Process - Shared Key Authentication (SKA) process refers to a process of accessing a Wi-Fi network which uses WEP protocol and a shared secret key. A client sends an authentication request to the access point (AP). The AP responds with a challenge text. The client uses its WEP key to encrypt the challenge text and sends the encrypted text back to the AP. The AP decrypts the text and compares the decrypted text with the original one. If they match, the AP sends the authentication code to the client. The client accepts the authentication code and connects to the network. ARP - Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses. This protocol can be used for obtaining MAC addresses of devices on the network. When two devices want to communicate, they look up the ARP table which contains the MAC addresses of all devices on the network. If the device cannot be found, a query is broadcasted over the network looking for the MAC address of the device. If that device exists on the network, it will respond with its MAC address which is then stored in the ARP table. Discretionary Access Control (DAC) - Access to files is given to users and groups based on the identity of the user and group membership. DAC allows users who have the access to files, to decide themselves how they will protect and share the files. Role Based Access Control (RBAC) - Access is given for a particular file or system, giving the users all the necessary privileges needed to perform their duties. Ways of performing penetration testing - Announced testing Unannounced testing Types of honeypots - Low-interaction honeypots Medium-interaction honeypots High-interaction honeypots Production honeypots Research honeypots Trojan - A program which contains malicious code and has the ability to cause damage to the target system. They are contained inside seemingly harmless programs and activated when such programs are executed. Trojans are bound with other programs with the help of wrappers. When a wrapped application is executed, the trojan is first installed, and then the wrapped application is run. The objectives of system hacking - The objectives of system hacking are to: Gain access to the target system Escalate privileges Execute applications Hide files Cover tracks Shoulder surfing - Shoulder surfing refers to observing the target while they type in their passwords, that is, looking at their keyboard or screen. Techniques used in scanning beyond IDS and Firewall - Scanning beyond IDS and firewall is possible by using the following techniques: Packet fragmentation Source routing IP address decoy IP address spoofing Proxy server Sarbanes Oxley Act - Describes what records organizations must keep and for how long, protecting investors and the public by increasing the accuracy and reliability of corporate disclosures . The act contains 11 titles: Public company accounting oversight board Auditor independence Corporate responsibility Enhanced financial disclosures Analyst conflicts of interest Commission resources and authority Studies and reports Corporate and criminal fraud accountability White-collar-crime penalty enhancement Corporate tax returns Corporate fraud accountability