cehv12certifiedethicalhackerstudyguidewith750practicetestquestions978139418692197813941868779781394186.pdf
Document Details
Uploaded by SelfSufficientFoil
Full Transcript
Messier186921_bindex.indd 726 3/22/2023 2:48:41 PM CEH v12 TM Certified Ethical Hacker Study Guide CEH v12 TM Certified Ethical Hacker Study Guide Ric Messier, CEH, GSEC, CISSP Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved. Published by J...
Messier186921_bindex.indd 726 3/22/2023 2:48:41 PM CEH v12 TM Certified Ethical Hacker Study Guide CEH v12 TM Certified Ethical Hacker Study Guide Ric Messier, CEH, GSEC, CISSP Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada and the United Kingdom. ISBN: 978-1-394-18692-1 ISBN: 978-1-394-18687-7 (ebk.) ISBN: 978-1-394-18691-4 (ebk.) No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission. Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CEH is a trademark of EC-Council. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Control Number: 2023932588 Cover image: © Getty Images Inc./Jeremy Woodhouse Cover design: Wiley About the Author Ric Messier, GCIH, CCSP, GSEC, CEH, CISSP, MS, has entirely too many letters after his name, as though he spends time gathering up strays that follow him home at the end of the day. His interest in information security began in high school but was cemented when he was a freshman at the University of Maine, Orono, when he took advantage of a vulnera- bility in a jailed environment to break out of the jail and gain elevated privileges on an IBM mainframe in the early 1980s. His first experience with Unix was in the mid-1980s and with Linux in the mid-1990s. Ric is an author, trainer, educator, and security professional with multiple decades of experience. He is currently a Principal Consultant with Mandiant and has developed graduate programs and courses in information security at different colleges and universities. About the Technical Editor James Michael Stewart, CISSP, CEH, CHFI, ECSA, CND, ECIH, CySA+, PenTest+, CASP+, Security+, Network+, A+, CISM, and CFR, has been writing and training for more than 25 years, with a current focus on security. He has been teaching CISSP training courses since 2002, not to mention other courses on internet security and ethical hacking/penetration testing. He is the author of and contributor to more than 75 books on security certification, Microsoft topics, and network administration, including CompTIA Security+ Review Guide. More information about Michael can be found at his website, www.impactonline.com. Contents at a Glance Introduction xvii Assessment Test xxv Chapter 1 Ethical Hacking 1 Chapter 2 Networking Foundations 17 Chapter 3 Security Foundations 59 Chapter 4 Footprinting and Reconnaissance 101 Chapter 5 Scanning Networks 161 Chapter 6 Enumeration 231 Chapter 7 System Hacking 279 Chapter 8 Malware 339 Chapter 9 Sniffing 393 Chapter 10 Social Engineering 435 Chapter 11 Wireless Security 471 Chapter 12 Attack and Defense 511 Chapter 13 Cryptography 549 Chapter 14 Security Architecture and Design 581 Chapter 15 Cloud Computing and the Internet of Things 611 Appendix Answers to Review Questions 661 Index 699 Contents Introduction xvii Assessment Test xxv Chapter 1 Ethical Hacking 1 Overview of Ethics 2 Overview of Ethical Hacking 5 Attack Modeling 6 Cyber Kill Chain 7 Attack Lifecycle 8 MITRE ATT&CK Framework 10 Methodology of Ethical Hacking 12 Reconnaissance and Footprinting 12 Scanning and Enumeration 12 Gaining Access 13 Maintaining Access 14 Covering Tracks 14 Summary 15 Chapter 2 Networking Foundations 17 Communications Models 19 Open Systems Interconnection 20 TCP/IP Architecture 23 Topologies 24 Bus Network 24 Star Network 25 Ring Network 26 Mesh Network 27 Hybrid 28 Physical Networking 29 Addressing 29 Switching 30 IP 31 Headers 32 Addressing 34 Subnets 35 TCP 37 UDP 40 Internet Control Message Protocol 41 x Contents Network Architectures 42 Network Types 43 Isolation 44 Remote Access 45 Cloud Computing 46 Storage as a Service 47 Infrastructure as a Service 48 Platform as a Service 49 Software as a Service 51 Internet of Things 53 Summary 54 Review Questions 56 Chapter 3 Security Foundations 59 The Triad 61 Confidentiality 61 Integrity 63 Availability 64 Parkerian Hexad 65 Information Assurance and Risk 66 Policies, Standards, and Procedures 69 Security Policies 69 Security Standards 70 Procedures 71 Guidelines 72 Organizing Your Protections 72 Security Technology 75 Firewalls 76 Intrusion Detection Systems 80 Intrusion Prevention Systems 83 Endpoint Detection and Response 84 Security Information and Event Management 86 Being Prepared 87 Defense in Depth 87 Defense in Breadth 89 Defensible Network Architecture 90 Logging 91 Auditing 93 Summary 95 Review Questions 96 Chapter 4 Footprinting and Reconnaissance 101 Open Source Intelligence 103 Companies 103 People 112 Contents xi Social Networking 115 Domain Name System 129 Name Lookups 130 Zone Transfers 136 Passive DNS 138 Passive Reconnaissance 142 Website Intelligence 145 Technology Intelligence 150 Google Hacking 150 Internet of Things (IoT) 152 Summary 154 Review Questions 157 Chapter 5 Scanning Networks 161 Ping Sweeps 163 Using fping 163 Using MegaPing 165 Port Scanning 167 nmap 168 masscan 184 MegaPing 186 Metasploit 188 Vulnerability Scanning 190 OpenVAS 192 Nessus 203 Looking for Vulnerabilities with Metasploit 209 Packet Crafting and Manipulation 210 hping 211 packETH 214 fragroute 217 Evasion Techniques 218 Evasion with nmap 221 Protecting and Detecting 223 Summary 224 Review Questions 226 Chapter 6 Enumeration 231 Service Enumeration 233 Countermeasures 236 Remote Procedure Calls 236 SunRPC 237 Remote Method Invocation 239 Server Message Block 242 Built-in Utilities 243 nmap Scripts 247 xii Contents NetBIOS Enumerator 249 Metasploit 250 Other Utilities 254 Countermeasures 257 Simple Network Management Protocol 258 Countermeasures 259 Simple Mail Transfer Protocol 260 Countermeasures 263 Web-Based Enumeration 264 Countermeasures 271 Summary 272 Review Questions 274 Chapter 7 System Hacking 279 Searching for Exploits 281 System Compromise 285 Metasploit Modules 286 Exploit-DB 290 Gathering Passwords 292 Password Cracking 295 John the Ripper 296 Rainbow Tables 298 Kerberoasting 300 Client-Side Vulnerabilities 305 Living Off the Land 307 Fuzzing 308 Post Exploitation 313 Evasion 313 Privilege Escalation 314 Pivoting 319 Persistence 322 Covering Tracks 326 Summary 332 Review Questions 334 Chapter 8 Malware 339 Malware Types 341 Virus 341 Worm 342 Trojan 344 Botnet 344 Ransomware 345 Dropper 347 Contents xiii Fileless Malware 348 Polymorphic Malware 348 Malware Analysis 349 Static Analysis 350 Dynamic Analysis 361 Automated Malware Analysis 370 Creating Malware 371 Writing Your Own 372 Using Metasploit 375 Obfuscating 381 Malware Infrastructure 382 Antivirus Solutions 384 Persistence 385 Summary 386 Review Questions 388 Chapter 9 Sniffing 393 Packet Capture 394 tcpdump 395 tshark 401 Wireshark 403 Berkeley Packet Filter 408 Port Mirroring/Spanning 410 Detecting Sniffers 410 Packet Analysis 412 Spoofing Attacks 417 ARP Spoofing 418 DNS Spoofing 422 DHCP Starvation Attack 424 sslstrip 425 Spoofing Detection 426 Summary 428 Review Questions 430 Chapter 10 Social Engineering 435 Social Engineering 436 Pretexting 438 Social Engineering Vectors 440 Identity Theft 441 Physical Social Engineering 442 Badge Access 442 Man Traps 444 Biometrics 445 Phone Calls 446 xiv Contents Baiting 447 Tailgating 448 Phishing Attacks 448 Contact Spamming 452 Quid Pro Quo 452 Social Engineering for Social Networking 453 Website Attacks 454 Cloning 454 Rogue Attacks 457 Wireless Social Engineering 458 Automating Social Engineering 461 Summary 464 Review Questions 466 Chapter 11 Wireless Security 471 Wi-Fi 472 Wi-Fi Network Types 474 Wi-Fi Authentication 477 Wi-Fi Encryption 478 Bring Your Own Device 483 Wi-Fi Attacks 484 Bluetooth 495 Scanning 496 Bluejacking 498 Bluesnarfing 498 Bluebugging 498 Bluedump 499 Bluesmack 499 Mobile Devices 499 Mobile Device Attacks 500 Summary 504 Review Questions 506 Chapter 12 Attack and Defense 511 Web Application Attacks 512 OWASP Top 10 Vulnerabilities 514 Web Application Protections 524 Denial-of-Service Attacks 526 Bandwidth Attacks 527 Slow Attacks 529 Legacy 531 Application Exploitation 531 Buffer Overflow 532 Heap Spraying 534 Application Protections and Evasions 535 Contents xv Lateral Movement 536 Defense in Depth/Defense in Breadth 538 Defensible Network Architecture 540 Summary 542 Review Questions 544 Chapter 13 Cryptography 549 Basic Encryption 551 Substitution Ciphers 551 Diffie–Hellman 553 Symmetric Key Cryptography 555 Data Encryption Standard 555 Advanced Encryption Standard 556 Asymmetric Key Cryptography 558 Hybrid Cryptosystem 559 Nonrepudiation 559 Elliptic Curve Cryptography 560 Certificate Authorities and Key Management 562 Certificate Authority 562 Trusted Third Party 565 Self-Signed Certificates 566 Cryptographic Hashing 569 PGP and S/MIME 571 Disk and File Encryption 572 Summary 576 Review Questions 578 Chapter 14 Security Architecture and Design 581 Data Classification 582 Security Models 584 State Machine 584 Biba 585 Bell–LaPadula 586 Clark–Wilson Integrity Model 586 Application Architecture 587 n-tier Application Design 588 Service-Oriented Architecture 591 Cloud-Based Applications 593 Database Considerations 595 Security Architecture 598 Zero-Trust Model 602 Summary 604 Review Questions 606 xvi Contents Chapter 15 Cloud Computing and the Internet of Things 611 Cloud Computing Overview 612 Cloud Services 616 Shared Responsibility Model 621 Public vs. Private Cloud 623 Grid Computing 624 Cloud Architectures and Deployment 625 Responsive Design 629 Cloud-Native Design 629 Deployment 631 Dealing with REST 633 Common Cloud Threats 639 Access Management 639 Data Breach 641 Web Application Compromise 642 Credential Compromise 643 Insider Threat 645 Internet of Things 646 Fog Computing 651 Operational Technology 652 The Purdue Model 654 Summary 655 Review Questions 657 Appendix Answers to Review Questions 661 Chapter 2: Networking Foundations 662 Chapter 3: Security Foundations 663 Chapter 4: Footprinting and Reconnaissance 666 Chapter 5: Scanning Networks 669 Chapter 6: Enumeration 672 Chapter 7: System Hacking 675 Chapter 8: Malware 678 Chapter 9: Sniffing 681 Chapter 10: Social Engineering 683 Chapter 11: Wireless Security 686 Chapter 12: Attack and Defense 688 Chapter 13: Cryptography 691 Chapter 14: Security Architecture and Design 693 Chapter 15: Cloud Computing and the Internet of Things 695 Index 699 Introduction You’re thinking about becoming a Certified Ethical Hacker (CEH). No matter what variation of security testing you are performing—ethical hacking, penetration testing, red teaming, or application assessment—the skills and knowledge necessary to achieve this certification are in demand. Even the idea of security testing and ethical hacking is evolving as businesses and organizations begin to have a better understanding of the adversaries they are facing. It’s no longer the so-called script kiddies that businesses felt they were fending off for so long. Today’s adversary is organized, well-funded, and determined. This means testing requires different tactics. Depending on who you are listening to, 80–90 percent of attacks today use social engi- neering. The old technique of looking for technical vulnerabilities in network services is simply not how attackers are getting into networks. Networks that are focused on applying a defense-in-depth approach, hardening the outside, may end up being susceptible to attacks from the inside, which is what happens when desktop systems are compromised. The skills needed to identify vulnerabilities and recommend remediations are evolving, along with the tactics and techniques used by attackers. This book is written to help you understand the breadth of content you will need to know to obtain the CEH certification. You will find a lot of concepts to provide you with a foundation that can be applied to the skills required for the certification. While you can read this book cover to cover, for a substantial chunk of the subjects, getting hands-on experience is essential. The concepts are often demonstrated through the use of tools. Following along with these demonstrations and using the tools yourself will help you understand the tools and how to use them. Many of the demonstrations are done in Kali Linux, though many of the tools have Windows analogs if you are more comfortable there. We can’t get through this without talking about ethics, though you will find it mentioned in several places throughout the book. This is serious, and not only because it’s a huge part of the basis for the certification. It’s also essential for protecting yourself and the people you are working for. The short version is do not do anything that would cause damage to sys- tems or your employer. There is much more to it than that, which you’ll read more about in Chapter 1, “Ethical Hacking,” as a starting point. It’s necessary to start wrapping your head around the ethics involved in this exam and profession. You will have to sign an agreement as part of achieving your certification. At the end of each chapter, you will find a set of questions. This will help you to demon- strate to yourself that you understand the content. Most of the questions are multiple choice, which is the question format used for the CEH exam. These questions, along with the hands- on experience you take advantage of, will be good preparation for taking the exam. What Is a CEH? The Certified Ethical Hacker exam is to validate that those holding the certification under- stand the broad range of subject matter that is required for someone to be an effective xviii Introduction ethical hacker. The reality is that most days, if you are paying attention to the news, you will see a news story about a company that has been compromised and had data stolen, a government that has been attacked, or even enormous denial-of-service attacks, making it difficult for users to gain access to business resources. The CEH is a certification that recognizes the importance of identifying security issues to get them remediated. This is one way companies can protect themselves against attacks—by getting there before the attackers do. It requires someone who knows how to follow tech- niques that attackers would normally use. Just running scans using automated tools is insuf- ficient because as good as security scanners may be, they will identify false positives—cases where the scanner indicates an issue that isn’t really an issue. Additionally, they will miss a lot of vulnerabilities—false negatives—for a variety of reasons, including the fact that the vulnerability or attack may not be known. Because companies need to understand where they are vulnerable to attack, they need people who are able to identify those vulnerabilities, which can be very complex. Scanners are a good start, but being able to find holes in complex networks can take the creative intel- ligence that humans offer. This is why we need ethical hackers. These are people who can take extensive knowledge of a broad range of technical subjects and use it to identify vulner- abilities that can be exploited. The important part of that two-word phrase, by the way, is “ethical.” Companies have protections in place because they have resources they don’t want stolen or damaged. When they bring in someone who is looking for vulnerabilities to exploit, they need to be certain that nothing will be stolen or damaged. They also need to be certain that anything that may be seen or reviewed isn’t shared with anyone else. This is especially true when it comes to any vulnerabilities that have been identified. The CEH exam, then, has a dual purpose. It not only tests deeply technical knowledge but also binds anyone who is a certification holder to a code of conduct. Not only will you be expected to know the content and expectations of that code of conduct, you will be expected to live by that code. When companies hire or contract to people who have their CEH certification, they can be assured they have brought on someone with discretion who can keep their secrets and provide them with professional service in order to help improve their security posture and keep their important resources protected. The Subject Matter If you were to take the CEH v12 training, you would have to go through the following modules: Introduction to Ethical Hacking Footprinting and Reconnaissance Scanning Networks Enumeration Vulnerability Analysis Introduction xix System Hacking Malware Threats Sniffing Social Engineering Denial of Service Session Hijacking Evading IDSs, Firewalls, and Honeypots Hacking Web Servers Hacking Web Applications SQL Injection Hacking Wireless Networks Hacking Mobile Platforms IoT and OT Hacking Cloud Computing Cryptography As you can see, the range of subjects is broad. Beyond knowing the concepts associated with these topics, you will be expected to know about various tools that may be used to perform the actions associated with the concepts you are learning. You will need to know tools like nmap for port scanning, for example. You may need to know proxy-based web application attack tools. For wireless network attacks, you may need to know about the aircrack-ng suite of tools. For every module listed, there are potentially dozens of tools that may be used. The subject matter of the CEH exam is very technical. This is not a field in which you can get by with theoretical knowledge. You will need to have had experience with the methods and tools that are covered within the subject matter for the CEH exam. What you may also have noticed here is that the modules all fall within the different stages mentioned earlier. While you may not necessarily be asked for a specific methodology, you will find that the contents of the exam do generally follow the methodology that the EC-Council believes to be a standard approach. About the Exam The CEH exam has much the same parameters as other professional certification exams. You will take a computerized, proctored exam. You will have 4 hours to complete 125 questions. That means you will have, on average, roughly 2 minutes per question. The questions are all multiple choice. The exam can be taken through the ECC Exam Center or at a Pearson VUE center. For details about VUE, please visit https://home.pearsonvue.com/eccouncil. Should you want to take your certification even further, you could go after the CEH Prac- tical exam. For this exam you must perform an actual penetration test and write a report at xx Introduction the end of it. This demonstrates that in addition to knowing the body of material covered by the exam, you can put that knowledge to use in a practical way. You will be expected to know how to compromise systems and identify vulnerabilities. To pass the exam, you will have to correctly answer a certain number of questions, though the actual number will vary. The passing grade varies depending on the difficulty of the questions asked. The harder the questions that are asked out of the complete pool of questions, the fewer questions you need to get right to pass the exam. If you get easier ques- tions, you will need to get more of the questions right to pass. There are some sources of information that will tell you that you need to get 70 percent of the questions right, and that may be okay for general guidance and preparation as a rough low-end marker. However, keep in mind that when you sit down to take the actual test at the testing center, the passing grade will vary. The score you will need to achieve will range from 60 to 85 percent. The good news is that you will know whether you passed before you leave the testing center. You will get your score when you finish the exam, and you will also get a piece of paper indicating the details of your grade. You will get feedback associated with the different scoring areas and how you performed in each of them. Who Is Eligible Not everyone is eligible to sit for the CEH exam. Before you go too far down the road, you should check your qualifications. Just as a starting point, you have to be at least 18 years of age. The other eligibility standards are as follows: Anyone who has versions 1–7 of the CEH certification. The CEH certification is ANSI certified now, but early versions of the exam were available before the certification. Anyone who wants to take the ANSI-accredited certification who has the early version of the CEH certification can take the exam. Minimum of two years of related work experience. Anyone who has the experience will have to pay a nonrefundable application fee of $100. Have taken an EC-Council training. If you meet these qualification standards, you can apply for the certification, along with paying the fee if it is applicable to you (if you take one of the EC-Council trainings, the fee is included). The application will be valid for three months. Exam Cost To take the certification exam, you need to pay for a Pearson VUE exam voucher. The cost of this is $1,199. You could also obtain an EC-Council voucher for $950, but that requires that you have taken EC-Council training and can provide a Certificate of Attendance. Introduction xxi EC-Council may change their eligibility, pricing, or exam policies from time to time. We highly encourage you to check for updated policies at the EC-Council website (https://cert.eccouncil.org/certified- ethical-hacker.html) when you begin studying for this book and again when you register for this exam. About EC-Council The International Council of Electronic Commerce Consultants is more commonly known as the EC-Council (www.eccouncil.org). It was created after the airplane attacks that happened against the United States on September 11, 2001. The founder, Jay Bavisi, won- dered what would happen if the perpetrators of the attack decided to move from the kinetic world to the digital world. Even beyond that particular set of attackers, the Internet has become a host to a large number of people who are interested in causing damage or stealing information. The economics of the Internet, meaning the low cost of entry into the business, encourage criminals to use it as a means of stealing information, ransoming data, or other malicious acts. The EC-Council is considered to be one of the largest certifying bodies in the world. It operates in 145 countries and has certified more than 200,000 people. In addition to the CEH, the EC-Council administers a number of other IT-related certifications: Certified Network Defender (CND) Certified Ethical Hacker Practical EC-Council Certified Security Analyst (ECSA) EC-Council Certified Security Analyst Practical Licensed Penetration Tester (LPT) Computer Hacking Forensic Investigator (CHFI) Certified Chief Information Security Officer (CCISO) One advantage to holding a certification from the EC-Council is that the organization has been accredited by the American National Standards Institute (ANSI). Additionally, and perhaps more importantly for potential certification holders, the certifications from EC- Council are recognized worldwide and have been endorsed by governmental agencies like the National Security Agency (NSA). The Department of Defense Directive 8570 includes the CEH certification. This is important because having the CEH certification means that you could be quickly qualified for a number of positions with the United States government. xxii Introduction The CEH certification provides a bar. This means there is a set of known standards. To obtain the certification, you will need to have met at least the minimal standards. These standards can be relied on consistently. This is why someone with the CEH certification can be trusted. They have demonstrated that they have met known and accepted standards of both knowledge and professional conduct. Using This Book This book is structured in a way that foundational material is up front. With this approach, you can make your way in an orderly fashion through the book, one chapter at a time. Technical books can be dry and difficult to get through sometimes, but it’s always my goal to try to make them easy to read and I hope entertaining along the way. If you already have a lot of experience, you don’t need to take the direct route from beginning to end. You can skip around as you need. No chapter relies on any other. They all stand alone with respect to the content. However, if you don’t have the foundation and try to jump to a later chapter, you may find yourself getting lost or confused by the material. All you need to do is jump back to some of the foundational chapters. Beyond the foundational materials, the book generally follows a fairly standard meth- odology when it comes to performing security testing. This methodology will be further explained in Chapter 1. As a result, you can follow along with the steps of a penetration test/ ethical hacking engagement. Understanding the outline and reason for the methodology will also be helpful to you. Again, though, if you know the material, you can move around as you need. Additional Study Tools This book is accompanied by an online learning environment that provides several addi- tional elements. The following items are available among these companion files: Practice tests All of the questions in this book appear in our proprietary digital test engine—including the 30-question assessment test at the end of this introduction and the 100+ questions that make up the review question sections at the end of each chapter. In addition, there are four bonus exams, each 125 questions. Electronic “flashcards” The digital companion files include more than 100 questions in flashcard format (a question followed by a single correct answer). You can use these to review your knowledge of the exam objectives. Glossary The key terms from this book, and their definitions, are available as a fully searchable PDF. Introduction xxiii Interactive Online Learning Environment and Test Bank To start using additional online materials that accompany this book to study for the Certi- fied Ethical Hacker exam, go to www.wiley.com/go/sybextestprep and click the link “Click here to register a product” to receive your unique PIN. Once you have the PIN, return to www.wiley.com/go/sybextestprep, find your book and click Register or Login, and follow the link to create a new account or add this book to an existing account. Like all exams, the CEH certification from EC-Council is updated peri- odically and may eventually be retired or replaced. At some point after EC-Council is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available. Objective Map Table 1.1 contains an objective map to show you at a glance where in the book you can find each objective covered. While there are chapters listed for all of these, there are some objec- tives that are scattered throughout the book. Specifically, tools, systems, and programs get at least touched on in most of the chapters. TA B L E 1. 1 Objective Map Objective Chapter Tasks 1.1 Systems development and management 7, 14 1.2 Systems analysis and audits 4, 5, 6, 7 1.3 Security testing and vulnerabilities 7, 8 1.4 Reporting 1, 7 1.5 Mitigation 7, 8 1.6 Ethics 1 xxiv Introduction TA B L E 1. 1 Objective Map (continued) Objective Chapter Knowledge 2.1 Background 2, 3 2.2 Analysis/assessment 2, 11 2.3 Security 3, 13, 14 2.4 Tools, systems, programs 4, 5, 6, 7 2.5 Procedures/methodology 1, 4, 5, 6, 7, 14 2.6 Regulation/policy 1, 14 2.7 Ethics 1 Let’s Get Started! This book is structured in a way that you will be led through foundational concepts and then through a general methodology for ethical hacking. You can feel free to select your own pathway through the book. Remember, wherever possible, get your hands dirty. Get some experience with tools, tactics, and procedures that you are less familiar with. It will help you a lot. Take the self-assessment. It may help you get a better idea of how you can make the best use of this book. How to Contact the Publisher If you believe you’ve found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur. In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.” Assessment Test xxv Assessment Test 1. Which header field is used to reassemble fragmented IP packets? A. Destination address B. IP identification C. Don’t fragment bit D. ToS field 2. If you were to see the following in a packet capture, what would you expect was happening? ' or 1=1; A. Cross-site scripting B. Command injection C. SQL injection D. XML external entity injection 3. What method might you use to successfully get malware onto a mobile device? A. Through the Apple Store or Google Play Store B. External storage on an Android C. Third-party app store D. Jailbreaking 4. What protocol is used to take a destination IP address and get a packet to a destination on the local network? A. DHCP B. ARP C. DNS D. RARP 5. What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes? A. Heap spraying B. SQL injection C. Buffer overflow D. Slowloris attack 6. If you were to see the subnet mask 255.255.248.0, what CIDR notation (prefix) would you use to indicate the same thing? A. /23 B. /22 C. /21 D. /20 xxvi Assessment Test 7. What is the primary difference between a worm and a virus? A. A worm uses polymorphic code. B. A virus uses polymorphic code. C. A worm can self-propagate. D. A virus can self-propagate. 8. How would you calculate risk? A. Probability * loss B. Probability * mitigation factor C. (Loss + mitigation factor) * (loss/probability) D. Loss * mitigation factor 9. How does an evil twin attack work? A. Phishing users for credentials B. Spoofing an SSID C. Changing an SSID D. Injecting four-way handshakes 10. To remove malware in the network before it gets to the endpoint, you would use which of the following? A. Antivirus B. Application layer gateway C. Unified threat management appliance D. Stateful firewall 11. What is the purpose of a security policy? A. Providing high-level guidance on the role of security B. Providing specific direction to security workers C. Increasing the bottom line of a company D. Aligning standards and practices 12. What has been done to the following string? %3Cscript%3Ealert('wubble');%3C/script%3E A. Base64 encoding B. URL encoding C. Encryption D. Cryptographic hashing Assessment Test xxvii 13. What would you get from running the command dig ns domain.com? A. Mail exchanger records for domain.com B. Name server records for domain.com C. Caching name server for domain.com D. IP address for the hostname ns 14. What technique would you ideally use to get all of the hostnames associated with a domain? A. DNS query B. Zone copy C. Zone transfer D. Recursive request 15. If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at? A. Tunneling attack B. DNS amplification C. DNS recursion D. XML entity injection 16. What would be the purpose of running a ping sweep? A. You want to identify responsive hosts without a port scan. B. You want to use something that is light on network traffic. C. You want to use a protocol that may be allowed through the firewall. D. All of the above. 17. How many functions are specified by NIST’s cybersecurity framework? A. 0 B. 3 C. 5 D. 4 18. What would be one reason not to write malware in Python? A. The Python interpreter is slow. B. The Python interpreter may not be available. C. There is inadequate library support. D. Python is a hard language to learn. xxviii Assessment Test 19. If you saw the following command line, what would you be capturing? tcpdump - i eth2 host 192.168.10.5 A. Traffic just from 192.168.10.5 B. Traffic to and from 192.168.10.5 C. Traffic just to 192.168.10.5 D. All traffic other than from 192.168.10.5 20. What is Diffie-Hellman used for? A. Key management B. Key isolation C. Key exchange D. Key revocation 21. Which social engineering principle may allow a phony call from the help desk to be effective? A. Social proof B. Imitation C. Scarcity D. Authority 22. How do you authenticate with SNMPv1? A. Username/password B. Hash C. Public string D. Community string 23. What is the process Java programs identify themselves to if they are sharing procedures over the network? A. RMI registry B. RMI mapper C. RMI database D. RMI process 24. What do we call an ARP response without a corresponding ARP request? A. Is-at response B. Who-has ARP C. Gratuitous ARP D. IP response Assessment Test xxix 25. What are the three times that are typically stored as part of file metadata? A. Moves, adds, changes B. Modified, accessed, deleted C. Moved, accessed, changed D. Modified, accessed, created 26. Which of these is a reason to use an exploit against a local vulnerability? A. Pivoting B. Log manipulation C. Privilege escalation D. Password collection 27. What principle is used to demonstrate that a signed message came from the owner of the key that signed it? A. Nonrepudiation B. Nonverifiability C. Integrity D. Authority 28. What is a viable approach to protecting against tailgating? A. Biometrics B. Badge access C. Phone verification D. Man traps 29. Why is bluesnarfing potentially more dangerous than bluejacking? A. Bluejacking sends, while bluesnarfing receives. B. Bluejacking receives, while bluesnarfing sends. C. Bluejacking installs keyloggers. D. Bluesnarfing installs keyloggers. 30. Which of the security triad properties does the Biba security model relate to? A. Confidentiality B. Integrity C. Availability D. All of them xxx Answers to Assessment Test Answers to Assessment Test 1. B. The destination address is used as the address to send messages to. The don’t fragment bit is used to tell network devices not to fragment the packet. The Type of Service (ToS) field can be used to perform quality of service. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number. 2. C. A SQL injection attack makes use of SQL queries, which can include logic that may alter the flow of the application. In the example provided, the intent is to force the result of the SQL query to always return a true. It is quoted the way it is to escape the existing query already in place in the application. None of the other attacks uses a syntax that looks like the example. 3. C. The Apple App Store and the Google Play Store are controlled by Apple and Google. It’s not impossible to get malware onto mobile devices that way, but it’s very difficult because apps get run through a vetting process. While some Android devices will support external storage, it’s not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed, but it’s not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don’t vet apps that are submitted. 4. B. DHCP is used to get IP configuration to endpoints. DNS is used to resolve a hostname to an IP address and vice versa. RARP is the reverse address protocol used to take a MAC address and resolve it to an IP address. ARP is used to resolve an IP address to a MAC address. Communication on a local network requires the use of a MAC address. The IP address is used to get to systems off the local network. 5. C. Heap spraying uses dynamically allocated space to store attack code. A slowloris attack is used to hold open web server connection buffers. A SQL injection will be used to inject SQL queries to the database server. A buffer overflow sends more data into the application than space has been allocated for. 6. B. A /23 network would be 255.255.254.0. A /22 would be 255.255.252. A /20 would be 255.255.240.0. Only a /21 would give you a 255.255.248.0 subnet mask. 7. C. Both worms and viruses could be written to use polymorphic code, which means they could modify what they look like as they propagate. A worm, though, could self-propagate. It’s the one distinction between worms and viruses. Viruses require some intervention on the part of the user to propagate and execute. 8. A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified, so it couldn’t be used for a risk calculation. 9. B. An evil twin attack uses an access point masquerading to be the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make con- nections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin attacks work. SSIDs don’t get changed as part of an evil twin attack, meaning no SSID that exists Answers to Assessment Test xxxi will become another SSID. Injecting four-way handshakes won’t do much, since four-way assumes both ends are communicating, so the injection of a full communication stream will get ignored. 10. C. Antivirus solutions are used on endpoints or maybe on email servers. Stateful firewalls add the ability to factor in the state of the connection—new, related, established. An Appli- cation layer gateway knows about Application layer protocols. A unified threat management appliance adds capabilities on top of firewall functions, including antivirus. 11. A. Standards and practices should be derived from a security policy, which is the high-level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures. 12. B. Base64 encoding takes nonprintable characters and encodes them in a way that they can be rendered in text. Encryption would generally render text unreadable to people. A crypto- graphic hash is a way of generating a fixed-length value to identify a value. URL encoding takes text and uses hexadecimal values to represent the characters. This is text that has been converted into hexadecimal so it can be used in a URL. 13. B. Mail exchanger records would be identified as MX records. A name server record is identi- fied with the tag ns. While an enterprise may have one or even several caching name servers, the caching name server wouldn’t be said to belong to the domain since it doesn’t have any domain identification associated with it. 14. C. A DNS query can be used to identify an IP address from a hostname, or vice versa. You could potentially use a brute-force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer. 15. A. Tunneling attacks can be used to hide one protocol inside another. This may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web- based attack and wouldn’t be found inside a DNS request. 16. D. There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol, and there is a chance it will be allowed through the firewall, since it’s used for troubleshooting and diagnostics. 17. C. The NIST cybersecurity framework specifies five functions—identify, protect, detect, respond, recover. 18. B. Python interpreters may be considered to be slower to execute than a compiled program; however, the difference is negligible, and generally speed of execution isn’t much of a con- cern when it comes to malware. Python is not a hard language to learn, and there are a lot of community-developed libraries. One challenge, though, is that you may need a Python inter- preter, unless you go through the step of getting a Python compiler and compiling your script. Windows systems wouldn’t commonly have a Python interpreter installed. xxxii Answers to Assessment Test 19. B. The expression host 192.168.10.5 is BPF indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest. 20. C. Certificates can be revoked, but that’s not what Diffie-Hellman is used for. Key management is a much broader topic than what Diffie-Hellman is used for. Diffie-Hellman is used for key exchange. It is a process that allows parties to an encrypted conversation to mutually derive the same key starting with the same base value. 21. D. While you might be imitating someone, imitation is not a social engineering principle. Neither social proof nor scarcity is at play in this situation. However, if you are calling from the help desk, you may be considered to be in a position of authority. 22. D. SNMPv3 implemented username and password authentication. With version 1, you used a cleartext community string. SNMP doesn’t use hashes, and while the word public is often used as a community string, a public string is not a way to authenticate with SNMPv1. 23. A. Interprocess communications across systems using a network is called remote method invocation. The process that programs have to communicate with to get a dynamic port allo- cation is the RMI registry. This is the program you query to identify services that are avail- able on a system that has implemented RMI. 24. C. When an ARP response is sent without a corresponding ARP request, it’s an unexpected or unnecessary message, so it is a gratuitous ARP. 25. D. There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file, expecting to modify it but not ending up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC like modified, accessed, and created, those are not tasks associated with file times. 26. C. Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be “local” to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect pass- words since you don’t need a vulnerability to do that. Similarly, you don’t need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions. 27. A. Integrity is part of the CIA triad but isn’t the principle that ties a signed message back to the subject of the signing certificate. Nonverifiability is nonsense, and authority isn’t relevant here. Instead, nonrepudiation means someone can’t say they didn’t send a message if it was signed with their key and that key was in their possession and password-protected. Answers to Assessment Test xxxiii 28. D. Biometrics and badge access are forms of physical access control. Phone verification could possibly be used as a way of verifying identity, but it won’t protect against tailgating. A man trap, however, will protect against tailgating because a man trap allows only one person in at a time. 29. B. Bluesnarfing is an attack that connects to a Bluetooth device to grab data from that device. Bluejacking can be used to send information to a Bluetooth device that is receiving from the attacker, such as a text message. Neither of these attacks installs keyloggers. The victim device sends information to the attacker in a bluesnarfing attack. 30. B. The Biba security model covers data integrity. While other models cover confidentiality, none of them covers availability. CEH v12 TM Certified Ethical Hacker Study Guide Chapter Ethical Hacking 1 THE FOLLOWING CEH EXAM TOPICS ARE COVERED IN THIS CHAPTER: ✓✓ Professional code of conduct ✓✓ Appropriateness of hacking ✓✓ Five phases of ethical hacking Welcome to the exciting world of information security and, specifically, the important world of what is referred to as ethical hacking or penetration testing. You’re here because you want to take the exam that will get you the Certified Ethical Hacker (CEH) certification. Perhaps you have done the training from EC-Council, the organization that manages the CEH certification, and you want a resource with a different perspective to help you as you prepare for the exam. Or you’ve decided to go the self-study route and you have enough experience to qualify for the exam. One way or another, you’re here now, and this book will help improve your understanding of the material to prepare for the exam. The exam covers a wide range of topics, often at a deeply technical level, so you really need to have a solid understanding of the material. This is especially true if you choose to go on to the practical exam (a lab-based hands-on exam) to earn the CEH Master certification. This chapter, however, will be your starting point, and there is nothing technical here. In it, you’ll get a chance to understand the foundations of the entire exam. First, you’ll learn just what ethical hacking is, as well as what it isn’t. The important part of the term ethical hack- ing is the ethical part. When you take the exam, you will be expected to abide by a code. It’s essential to understand that code so you can live by it throughout your entire career. Finally, you’ll learn what EC-Council is, as well as the format and other details of the exam that will be useful to you. While some of it may seem trivial, it can be helpful to get a broader context for why the exam was created and learn about the organization that runs it. Personally, I find it useful to understand what’s underneath something rather than experience it at a superficial level. As a result, you’ll get the macro explanation, and you can choose to use it or not, depending on whether you find it helpful. It won’t be part of the exam, but it may help you understand what’s behind the exam so you understand the overall intentions. Overview of Ethics Before we start talking about ethical hacking, I will cover the most important aspect of that, which is ethics. You’ll notice it’s not referred to as “hacking ethically.” It’s ethical hacking. The important part is in the front. Ethics can be a challenging subject because you will find that they are not universal. Different people have different views of what is ethical and what is not ethical. It’s essential, though, that you understand what ethics are and what is consid- ered ethical and unethical from the perspective of the Certified Ethical Hacker certification. This is a critical part of the exam and the certification. After all, you are being entrusted with access to sensitive information and critical systems. To keep yourself viable as a professional, Overview of Ethics 3 you need to behave and perform your work in an ethical manner. Not only will you be expected to behave ethically, you will be expected to adhere to a code of ethics. As part of the code of ethics, you will be sworn to keep information you obtain as part of your work private, paying particular attention to protecting the information and intellectual property of employers and clients. When you are attacking systems that belong to other peo- ple, you could be provided with internal information that is sensitive. You could also come across some critical information vital to the organization for which you are working. Failing to protect any of that data violates the code of ethics by compromising the confidentiality of that information. You are expected to disclose information that needs to be disclosed to the people who have engaged your services. This includes any issues that you have identified. You are also expected to disclose potential conflicts of interest that you may have. It’s important to be transparent in your dealings and also do the right thing when it comes to protecting your clients, employers, and their business interests. Additionally, if you come across something that could have an impact on a large number of people across the Internet, you are expected to disclose it in a responsible manner. This doesn’t mean disclosing it in a public forum. It means working with your employer, any vendor that may be involved, and any computer emergency response team (CERT) that may have jurisdiction over your findings. The first-time responsible disclosure was identified and documented in the 1990s. The security researcher Rain Forest Puppy developed a full disclosure policy, sometimes called the Rain Forest Puppy Policy (RFP or RFPolicy). It advocated working closely with ven- dors to ensure they had time to fix issues before announcing them. At the time, there was a tendency for so-called researchers to just publish findings to the public to make a name for themselves without regard to the possibility of exposing innocent people when the vulnera- bilities they found were exploited by attackers. On the other side, companies that developed software hadn’t caught up with the idea that they needed to be on top of vulnerabilities, and the slow months-or years-long pace of soft- ware development wasn’t possible any longer with word of vulnerabilities getting out within minutes around the world. Hackers may have tried to notify a company only to have that company ignore the contact. Other companies may have acknowledged the bug but then dragged their feet about getting fixes out to their customers. The RFPolicy was an attempt to ensure that those who found vulnerabilities didn’t just announce them indiscriminately but also had the ability to make the announcement if the company started to drag their feet. Wide acceptance of this policy within the security community dramatically increased the collaboration between those who were looking for vulnerabilities and those companies who had to be conscious of their consumers who may be exposed to attack if vulnerabilities were announced. For examples of responsible disclosure, look at the work of Dan Kaminsky. In the mid-2000s, he found serious flaws in the implementations of the Domain Name System (DNS), which impacts everyone on the Internet. He worked responsibly with vendors to ensure that they had time to fix their implementations and remediate the vulnerabilities before he disclosed them. In the end, he did disclose the vulnerabilities in a very public manner, but only after vendors had time to fix the issue. This meant he wasn’t putting 4 Chapter 1 Ethical Hacking people in the path of compromise and potential information disclosure. Even though he was using the software in a way that it wasn’t intended to be used, he was using an ethical approach by attempting to address an issue before someone could make use of the issue in a malicious way. As you perform work, you will be given access to resources provided by the client or company. Under the EC-Council code of ethics you will need to agree to, you cannot misuse any of the equipment. You can’t damage anything you have access to as part of your employment or contract. There will be times when the testing you are performing may cause damage to a service provided by the infrastructure of the company you are working for or with. As long as this is unintentional or agreed to be acceptable by the company, this is okay. One way to alleviate this concern is to keep lines of communication open at all times. If it happens that an unexpected outage occurs, ensuring that the right people know so it can be remedied is essential. Perhaps it goes without saying, but you are not allowed to engage in any illegal actions during a penetration testing campaign. Similarly, you cannot have been convicted of any felony. Along the same lines, though it’s not directly illegal, you can’t be involved with any group that may be considered “black hat,” meaning they are engaged in potentially illegal activities, such as attacking computer systems for malicious purposes. Colorful Terminology You may regularly hear the terms white hat, black hat, and gray hat. White-hat hackers are people who always do their work for good. Black-hat hackers, probably not surprisingly, are people who do bad things, generally actions that are against the law. Gray-hat hackers, though, fall in the middle: they are working for good, but they are using the techniques of black-hat hackers. These terms are falling out of favor due to their association with race; several newer sets are becoming common, such as authorized, unauthorized, and semi-authorized entities. The original terms may still be in use by EC-Council, but it is important to be aware of the evolu- tion of terminology. Communication is also important when you embark on an engagement, regardless of whether you are working on contract or are a full-time employee. When you are taking on a new engagement, it’s essential to be clear about the expectations for your services. If you have the scope of your services in writing, everything is clear and documented. As long as what you are being asked to do is not illegal and the scope of activities falls within systems run by the company you are working for, your work would be considered ethical. If you stray outside of the scope of systems, networks, and services, your actions would be consid- ered unethical. Overview of Ethical Hacking 5 When you keep your interactions professional and ensure that it’s completely clear to your employer what you are doing, as long as your actions are against systems belonging to your employer, you should be on safe ground ethically. Overview of Ethical Hacking These days, it’s hard to look at any source of news without seeing something about data theft, Internet-based crime, or various other attacks against people and businesses. What we see in the news, actually, are the big issues, with large numbers of records compromised or big companies breached. What you don’t see is the number of system compromises where the target of the attack is someone’s personal computer or other device. Consider, for example, the Mirai botnet, which infected smaller, special-purpose devices running an embedded implementation of Linux. The number of devices thought to have been compromised and made part of that botnet is well over 100,000, with the possibility of there being more than one million. Each year, millions of new pieces of malware are created, often making use of new vul- nerabilities that have been recently discovered. Since 2005, there has not been a year without at least 10 million data records compromised. In the year 2017, nearly 200 million records were compromised. These numbers are just from the United States. To put this into perspec- tive, there are only about 250 million adults in the United States, so it’s safe to say that every adult has had their information compromised numerous times. To be clear, the data records that we’re talking about belong to individual people and not to businesses. There is minimal accounting of the total value of intellectual property that may have been stolen, but it’s clear that the compromise has been ongoing for a long time. All of this is to say, there is an urgent need to improve how information security is han- dled. It’s believed that to protect against attacks, you have to be able to understand those attacks. Ideally, you need to replicate the attacks. If businesses are testing attacks against their own infrastructure early and often, those businesses could be in a better position to improve their defenses and keep the real attackers out. This type of testing is what ethical hacking really is. It is all about ferreting out prob- lems with the goal of improving the overall security posture of the target. This may be for a company in terms of their infrastructure or even desktop systems. It may also be performing testing against software to identify bugs that can be used to compromise the software and, subsequently, the system where the software is running. The aim is not to be malicious but to be on the “good” side to make the situation better. This is something you could be hired or contracted to perform for a business. They may have a set of systems or web applications they want tested. You could also have software that needs to be tested. There are a lot of people who perform testing on software—both commercial and open source. Ethical hacking can be done under many different names. You may not always see the term ethical hacking, especially when you are looking at job titles. Instead, you will see the term penetration testing. It’s essentially the same thing. The idea of a penetration test is to 6 Chapter 1 Ethical Hacking attempt to penetrate the defenses of an organization. That may also be the goal of an ethical hacker. You may also see the term red teaming, which is generally considered a specific type of penetration test where the testers are adversarial to the organization and network under test. A red teamer would actually act like an attacker, meaning they would try to be stealthy so as not to be detected. One of the challenging aspects of this sort of activity is having to think like an attacker. Testing of this nature is often challenging and requires a different way of thinking. When doing any sort of testing, including ethical hacking, a methodology is important, as it helps ensure that your actions are both repeatable and verifiable. There are a number of methodol- ogies you may come across. Professionals who have been doing this type of work for a while may have developed their own style. However, they will often follow common steps, such as the ones I am going to illustrate as we move through the chapter. EC-Council helps to ensure that this work is done ethically by requiring anyone who has obtained the Certified Ethical Hacker certification to agree to a code of conduct. This code of conduct holds those who have their CEH certification to a set of standards ensuring that they behave ethically, in service to their employers. They are expected to not do harm and to work toward improving the security posture rather than doing damage to that posture. Attack Modeling As with so many things, using a methodology is valuable when it comes to ethical hack- ing or security testing. Methodologies can help with consistency, repeatability, and process improvement. Consistency is important because you want to run the same sets of tests or probes no matter who you are testing against. Let’s say you are working with a company that keeps asking you back. Without consistency, you may miss some findings from one test to another, which may let the client think they improved, or the finding doesn’t exist any longer. This would be a bad impression to leave a company with. Similarly, repeatability gives you the ability to do the same tests every time you run the assessment. In fact, if you are working with a team, every one of you should be able to run the sets of tests. Again, you want to be sure that any organization you are assessing will have the same perspective on their security posture, no matter how many times they come to you and no matter who the organization is. There are some testing or assessment methodologies that get used throughout the industry, including the Penetration Testing Execution Standard (PTES) and the Open Source Security Testing Methodology Manual (OSSTMM). These methodologies are typically built around expectations of what an attacker would do or how attackers operate. These may not map perfectly to how attackers operate in the real world, but they do help to ensure a consis- tency and breadth of approach to security testing, which makes them valuable. In addition, many common security testing methodologies are models of how attackers operate. The first is the cyber kill chain, another is the attack life cycle, while a third is the MITRE ATT&CK Attack Modeling 7 framework. When we get to look at the methodologies of ethical hacking, you will see the similarities in these models to the phases of ethical hacking used by EC-Council. Cyber Kill Chain A commonly referred–to framework in the information security space is the cyber kill chain. A kill chain is a military concept of the structure of an attack. The idea of a kill chain is that you can identify where the attacker is in their process so you can adapt your own response tactics. Lockheed Martin, a defense contractor, adapted the military concept of a kill chain to the information security (or cybersecurity) space. Figure 1.1 shows the cyber kill chain, as developed by Lockheed Martin. F I G U R E 1. 1 Cyber kill chain Phases of the Intrusion Kill Chain Reconnaissance Research, identification, and selection of targets. Pairing remote access malware with exploit into a Weaponization deliverable payload (e.g., Adobe PDF and Microsoft Office files). Transmission of weapon to target (e.g., via email Delivery attachments, websites, or USB drives). Once delivered, the weapon’s code is triggered, Exploitation exploiting vulnerable applications or systems. The weapon installs a backdoor on a target’s system, Installation allowing persistent access. Outside server communicates with the weapons Command & Control providing “hands-on keyboard access” inside the target’s network. The attacker works to achieve the objective of the Actions on Objective intrusion, which can include exfiltration or destruction of data, or intrusion of another target. The first stage of the cyber kill chain is reconnaissance. This is where the attacker iden- tifies their target as well as potential points of attack. This may include identifying vulnera- bilities that could be exploited. There may be a lot of information about the target gathered in this phase, which will be useful later in the attack process. 8 Chapter 1 Ethical Hacking Once the attacker has identified a target, they need to determine how to attack the target. This is where weaponization comes in. The attacker may create a custom piece of malware, for instance, that is specific to the target. They may just use a piece of common off-the- shelf (COTS) malware, though this has the potential to be discovered by antivirus software installed in the victim’s environment. The attacker may decide this doesn’t matter resulting in the attacker sending out more malicious software to more individuals. Delivery is how you get the weapon (the malware or the link to a rogue website) into the victim’s environment. This could be a network-based attack, meaning there is an exposed service that may be vulnerable to exploit remotely. This could be sending an attachment via email, or it could be that the malicious software is hosted on a web server the victim is expected to visit and they get infected when they hit the website. Exploitation could be when the malicious software infects the victim’s system. Exploitation leads to installation. The attacker will install additional software to maintain access to the system and perhaps give themselves remote access to the system. Once instal- lation is complete, the attacker moves to command & control. You will sometimes see this referred to as C2 or C&C. The command-&-control phase gives attackers remote access to the infected system. This may involve installation of additional software, or it may involve sending directives to the infected system. The attacker may be trying to get information from the infected system or have the system perform actions like participating in a large-scale denial-of-service attack. These actions are called actions on objectives. Each attacker may have different objec- tives they are trying to achieve. Attackers who are criminally oriented are probably looking for ways to monetize the infected systems by stealing information that could be stolen or by selling off access to another organization. So-called nation-state actors may be looking to gain access to intellectual property. No matter what the organization is, they have objectives they are trying to achieve. They will keep going until they achieve those objectives, so there is a lot of activity that happens in this phase of the kill chain. Attack Lifecycle The security technology and consulting company Mandiant often refers to a different meth- odology called the attack life cycle. This is different from the cyber kill chain, though there are some similarities. Rather than a theoretical exercise or one with a military focus, the attack life cycle describes exactly how attackers have operated for as far back as there have been attacks against computing infrastructure. If you go back and look at how the Chaos Computer Club operated in the 1980s or Kevin Mitnick and his contemporaries operated in the late 1970s into the 1980s and beyond, you can map their actions directly into the attack life cycle. Figure 1.2 shows how the attack life cycle looks. One significant difference between the attack life cycle and the cyber kill chain is a recog- nition that often an attack is not one-and-done. There is a loop that happens in the middle. Attackers don’t keep launching attacks from outside the network. Once they get into the environment, they use the compromised systems as launch points for additional compro- mises within the environment. Attackers will gain access to a system and use that system and Attack Modeling 9 anything discovered there, like credentials, to move off to another system in the network. Before we get there, though, an attacker identifies a victim and potential attack possibilities in the initial recon stage. The attacker is doing reconnaissance, including identifying names and titles using open source intelligence, meaning they use public sources like social network sites, to generate attacks. To gain access, they launch attacks—commonly, these would be phishing attacks. This is the initial compromise stage. F I G U R E 1. 2 Attack life cycle Move Laterally Maintain Presence Internal Recon Initial Establish Escalate Complete Initial Recon Compromise Foothold Privileges Mission Once they have compromised a system, the attacker will work to establish a foothold. This includes making sure they retain access to the system so they can get back in when they need to. It’s perhaps important to recognize that these attacks don’t happen in a bang- bang fashion. It may take days or weeks to move from one phase of the attack life cycle to another. This depends on the organization performing the attacks. These are not individuals. They are organizations, so there may be different employees working on different stages. To do much else, the attacker will need to escalate privileges. They need to have administrative privileges to move into the loop that happens as they continue to move through the environment, gathering additional systems along the way. They will probably be gathering credentials from memory or disk here. They will also be investigating connec- tions the system is known to have had with other systems in the network. This is a form of internal reconnaissance. They may also be trying to identify other credentials that are known to the system. The reconnaissance is necessary to be able to move laterally. This is sometimes known as east-west movement. If you think about the network diagram, the connection to the outside world is quite often on the top. On a map, this would be north, so moving into and out of the network is known as north-south. Any movement within the organization is side to side or lateral movement. On a map, side to side would be east-west. To make those lateral move- ments, attackers need to know what systems there are. It may be servers, since individual sys- tems are likely to know a lot of servers they communicate with, but it may also be individual workstations. In an enterprise network, it may be possible to authenticate using captured credentials against other workstations, which may have access to different sets of servers. With every system the attacker gets access to, they need to maintain presence. This means some form of persistence, so any malware that is allowing the attacker access remains 10 Chapter 1 Ethical Hacking running. You might use the Windows registry, scheduled tasks, or other types of persistence to keep any malware running so the attacker can keep getting back in when they want. The last phase of the attack life cycle, though leaving it until the end is misleading, is complete mission. Again, attacks tend not to be one-and-done. Once an attacker is in your environment, they will likely be continuing to revisit to see if there is anything else they need. They may be continuing to get a broader reach within the organization. The complete mission phase is where data may be exfiltrated from the environment. This, again, may not be a onetime thing. The attacker may continue to find additional targets in the environment to exploit, which would likely mean additional exfiltration. This means there would be con- tinuous returns to this phase. After all, if you are planning to take up years-long residence, you don’t want to wait years before getting data out because you can’t, as an attacker, ever know when something may change and you lose access. MITRE ATT&CK Framework While the attack life cycle does a good job of describing the process an attacker goes through, it does not describe the specific behaviors used by the attacker, which are called techniques, tactics, and procedures (TTPs). The MITRE ATT&CK Framework is a tax- onomy of TTPs, which means it is a way of organizing TTPs that have been seen in the real world into a set of categories. Mostly, the categories follow the same attack trajectory seen in the attack life cycle and the cyber kill chain, though there are some categories that are called out separately because it’s useful to understand some of the specific TTP categories that may be done in a parallel stream or be part of multiple stages of the attack life cycle or cyber kill chain. Examples include resource development and execution. Following are the stages the ATT&CK Framework identifies. Reconnaissance The attacker is looking for victims or ways to get into victims’ systems that have been identified. Resource Development Infrastructure for managing compromised hosts is put together here, as well as developing exploits or collecting credentials from other sources that could be used. Initial Access Systems or user accounts are compromised to provide the attacker access to a resource that can be used. Execution This is not a stage itself, but instead describes a series of actions or behav- iors an attacker might use to maintain access to the system. This could include, for in- stance, executing PowerShell scripts. Persistence The attacker needs to ensure they maintain access beyond reboots or other system changes, so they need to be sure they have a program that always runs when the system is started, or at least when a user logs in. Attack Modeling 11 Privilege Escalation As user behavior is restricted, attackers would typically look to gain administrative privileges. The process of obtaining that level of permissions is called privilege escalation. Defense Evasion Businesses will do a lot of work trying to protect systems, looking for malware and instances of persistence. When attackers try to get access and main- tain access regardless of the protection measures in place, it’s defense evasion and may include masquerading or execution hijacking or tampering with protections in place. Credential Access A common attack practice is to gather usernames and passwords. This may be done either from previous attacks or from systems or users directly. Any username and password set may be useful at some point. Discovery Any activity that collects information within the victim environment could be considered discovery. Lateral Movement Attackers will generally move from one system to another within the victim environment, to collect more information or to gather details about systems or users that could be used elsewhere. Collection Once the attacker has found information they want to use or sell, they need to pull it together. This is the collection referred to here. It may be something simple like staging the data somewhere in the network. Command and Control The attacker needs a way of getting remote access to systems or to send commands to those systems. Usually, there is infrastructure in place to per- form this command and control work. With firewalls in place, direct access to victim systems is not commonly possible so the connection needs to be initiated from the inside of the network. Exfiltration Data that has been collected needs to be moved out to the attacker loca- tions so it can be dealt with. Moving the data out of the target environment to the attacker’s place is exfiltration. Impact Attackers aren’t always looking to steal information. Sometimes, they are looking to be destructive, or in the case of some types of ransomware, they are looking to modify data by encrypting it so victims can’t get access, requiring they pay the attacker. These are the types of activities that fall under impact. The MITRE ATT&CK Framework continues to be updated with new TTPs as they are discovered. These TTPs are different from a collection of exploits, though. You will not find anything like step-by-step instructions for performing an attack. Instead, you will find reasonably high-level and generic descriptions of activities like network sniffing or escape to host. 12 Chapter 1 Ethical Hacking Methodology of Ethical Hacking The basic methodology is meant to reproduce what real-life attackers would do. You will see similarities here to both the cyber kill chain and the attack life cycle. Companies can shore up their security postures using information that comes from each stage covered here. One thing to keep in mind when it comes to information security is that not everything is about protection or prevention. You need to be able to detect all of these attacker activities. Reconnaissance and Footprinting Reconna