CEH v10 Certified Ethical Hacker Study Guide PDF

CEH v10 TM Study Guide CEH v10 TM Certified Ethical Hacker Study Guide Ric Messier, CEH, GCIH, GSEC, CISSP Development Editor: Kim Wimpsett Technical Editors: Russ Christy and Megan Daudelin Senior Production Editor: Christine O’Connor Copy Editor: Judy Flynn Editorial Manager: Pete Gaughan Production Manager: Kathleen Wisor Associate Publisher: Jim Minatel Book Designers: Judy Fung and Bill Gibson Proofreader: Louise Watson, Word One New York Indexer: Johnna VanHoose Dinse Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: Getty Images Inc. / Jeremy Woodhouse Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-53319-1 ISBN: 978-1-119-53325-2 (ebk.) ISBN: 978-1-119-53326-9 (ebk.) Manufactured in the United States of America No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war- ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Control Number: 2019940400 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CEH is a trademark of EC-Council. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1 About the Author Ric Messier, GCIH, GSEC, CEH, CISSP, MS, has entirely too many letters after his name, as though he spends time gathering up strays that follow him home at the end of the day. His interest in information security began in high school but was cemented when he was a freshman at the University of Maine, Orono, when he took advantage of a vulnerability in a jailed environment to break out of the jail and gain elevated privileges on an IBM mainframe in the early 1980s. His first experience with Unix was in the mid-1980s and with Linux in the mid-1990s. Ric is an author, trainer, educator, and security professional with multiple decades of experience. He is currently a Senior Information Security Consultant with FireEye Mandiant and occasionally teaches courses at Harvard University and the University of Colorado Boulder. Contents at a Glance Introduction xvii Assessment Test xxiv Chapter 1 Ethical Hacking 1 Chapter 2 Networking Foundations 9 Chapter 3 Security Foundations 49 Chapter 4 Footprinting and Reconnaissance 83 Chapter 5 Scanning Networks 135 Chapter 6 Enumeration 193 Chapter 7 System Hacking 233 Chapter 8 Malware 279 Chapter 9 Sniffing 321 Chapter 10 Social Engineering 357 Chapter 11 Wireless Security 387 Chapter 12 Attack and Defense 419 Chapter 13 Cryptography 447 Chapter 14 Security Architecture and Design 475 Appendix Answers to Review Questions 501 Index 531 Contents Introduction xvii Assessment Test xxiv Chapter 1 Ethical Hacking 1 Overview of Ethics 2 Overview of Ethical Hacking 4 Methodology of Ethical Hacking 5 Reconnaissance and Footprinting 6 Scanning and Enumeration 6 Gaining Access 7 Maintaining Access 7 Covering Tracks 8 Summary 8 Chapter 2 Networking Foundations 9 Communications Models 11 Open Systems Interconnection 12 TCP/IP Architecture 15 Topologies 16 Bus Network 16 Star Network 17 Ring Network 18 Mesh Network 19 Hybrid 20 Physical Networking 21 Addressing 21 Switching 22 IP23 Headers 23 Addressing 25 Subnets 26 TCP 28 UDP 31 Internet Control Message Protocol 32 Network Architectures 33 Network Types 34 Isolation 35 Remote Access 36 x Contents Cloud Computing 36 Storage as a Service 37 Infrastructure as a Service 39 Platform as a Service 40 Software as a Service 42 Internet of Things 43 Summary 44 Review Questions 46 Chapter 3 Security Foundations 49 The Triad 51 Confidentiality 51 Integrity 53 Availability 54 Parkerian Hexad 55 Risk 56 Policies, Standards, and Procedures 58 Security Policies 58 Security Standards 59 Procedures 60 Guidelines 60 Security Technology 61 Firewalls 61 Intrusion Detection Systems 65 Intrusion Prevention Systems 68 Security Information and Event Management 69 Being Prepared 70 Defense in Depth 71 Defense in Breadth 73 Logging 74 Auditing 76 Summary 78 Review Questions 79 Chapter 4 Footprinting and Reconnaissance 83 Open-Source Intelligence 85 Companies 85 People 93 Social Networking 97 Domain Name System 108 Name Lookups 109 Zone Transfers 115 Passive Reconnaissance 117 Contents xi Website Intelligence 120 Technology Intelligence 124 Google Hacking 125 Internet of Things (IoT) 126 Summary 128 Review Questions 130 Chapter 5 Scanning Networks 135 Ping Sweeps 137 Using fping 137 Using MegaPing 139 Port Scanning 141 Nmap 142 masscan 155 MegaPing 157 Vulnerability Scanning 159 OpenVAS 160 Nessus 171 Packet Crafting and Manipulation 177 hping 178 packETH 180 fragroute 183 Evasion Techniques 185 Summary 187 Review Questions 189 Chapter 6 Enumeration 193 Service Enumeration 195 Remote Procedure Calls 198 SunRPC 198 Remote Method Invocation 200 Server Message Block 204 Built-In Utilities 205 Nmap Scripts 207 Metasploit 209 Other Utilities 212 Simple Network Management Protocol 215 Simple Mail Transfer Protocol 217 Web-Based Enumeration 220 Summary 226 Review Questions 228 xii Contents Chapter 7 System Hacking 233 Searching for Exploits 234 System Compromise 239 Metasploit Modules 239 Exploit-DB 243 Gathering Passwords 245 Password Cracking 248 John the Ripper 248 Rainbow Tables 250 Client-Side Vulnerabilities 253 Post Exploitation 255 Privilege Escalation 255 Pivoting 260 Persistence 262 Covering Tracks 265 Summary 272 Review Questions 274 Chapter 8 Malware 279 Malware Types 281 Virus 281 Worm 282 Trojan 284 Botnet 284 Ransomware 285 Dropper 286 Malware Analysis 287 Static Analysis 288 Dynamic Analysis 296 Creating Malware 305 Writing Your Own 305 Using Metasploit 308 Malware Infrastructure 311 Antivirus Solutions 314 Summary 314 Review Questions 316 Chapter 9 Sniffing 321 Packet Capture 322 tcpdump 323 tshark 329 Wireshark 331 Berkeley Packet Filter (BPF) 335 Port Mirroring/Spanning 336 Contents xiii Packet Analysis 337 Spoofing Attacks 342 ARP Spoofing 342 DNS Spoofing 346 sslstrip 348 Summary 350 Review Questions 352 Chapter 10 Social Engineering 357 Social Engineering 358 Pretexting 360 Social Engineering Vectors 362 Physical Social Engineering 362 Badge Access 363 Man Traps 364 Biometrics 365 Phone Calls 366 Baiting 367 Phishing Attacks 368 Website Attacks 371 Cloning 371 Rogue Attacks 374 Wireless Social Engineering 375 Automating Social Engineering 379 Summary 381 Review Questions 383 Chapter 11 Wireless Security 387 Wi-Fi 388 Wi-Fi Network Types 390 Wi-Fi Authentication 392 Wi-Fi Encryption 393 Bring Your Own Device (BYOD) 397 Wi-Fi Attacks 398 Bluetooth 407 Scanning 408 Bluejacking 409 Bluesnarfing 410 Bluebugging 410 Mobile Devices 411 Mobile Device Attacks 412 Summary 414 Review Questions 416 xiv Contents Chapter 12 Attack and Defense 419 Web Application Attacks 420 XML External Entity Processing 422 Cross-Site Scripting (XSS) 423 SQL Injection 425 Command Injection 427 Denial of Service Attacks 428 Bandwidth Attacks 428 Slow Attacks 431 Legacy 432 Application Exploitation 433 Buffer Overflow 433 Heap Spraying 436 Lateral Movement 436 Defense in Depth/Defense in Breadth 438 Defensible Network Architecture 440 Summary 441 Review Questions 443 Chapter 13 Cryptography 447 Basic Encryption 449 Substitution Ciphers 449 Diffie-Hellman 452 Symmetric Key Cryptography 453 Data Encryption Standard (DES) 453 Advanced Encryption Standard (AES) 454 Asymmetric Key Cryptography 456 Hybrid Cryptosystem 456 Non-Repudiation 457 Elliptic Curve Cryptography 457 Certificate Authorities and Key Management 459 Certificate Authority 459 Trusted Third Party 462 Self-Signed Certificates 463 Cryptographic Hashing 465 PGP and S/MIME 467 Summary 469 Review Questions 471 Contents xv Chapter 14 Security Architecture and Design 475 Data Classification 476 Security Models 478 State Machine 478 Biba 479 Bell-LaPadula 480 Clark-Wilson Integrity Model 480 Application Architecture 481 n-tier Application Design 482 Service-Oriented Architecture 485 Cloud-Based Applications 487 Database Considerations 489 Security Architecture 492 Summary 495 Review Questions 497 Appendix Answers to Review Questions 501 Chapter 2: Networking Foundations 502 Chapter 3: Security Foundations 503 Chapter 4: Footprinting and Reconnaissance 506 Chapter 5: Scanning Networks 508 Chapter 6: Enumeration 511 Chapter 7: System Hacking 513 Chapter 8: Malware 515 Chapter 9: Sniffing 518 Chapter 10: Social Engineering 519 Chapter 11: Wireless Security 522 Chapter 12: Attack and Defense 524 Chapter 13: Cryptography 526 Chapter 14: Security Architecture and Design 528 Index 531 Introduction You’re thinking about becoming a Certified Ethical Hacker (CEH). No matter what variation of security testing you are performing—ethical hacking, penetration testing, red teaming or application assessment—the skills and knowledge necessary to achieve this cer- tification are in demand. Even the idea of security testing and ethical hacking is evolving as businesses and organizations begin to have a better understanding of the adversaries they are facing. It’s no longer the so-called script kiddies that businesses felt they were fending off for so long. Today’s adversary is organized, well-funded, and determined. This means testing requires different tactics. Depending on who you are listening to, 80–90 percent of attacks today use social engi- neering. The old technique of looking for technical vulnerabilities in network services is simply not how attackers are getting into networks. Networks that are focused on applying a defense in depth approach, hardening the outside, may end up being susceptible to attacks from the inside, which is what happens when desktop systems are compromised. The skills needed to identify vulnerabilities and recommend remediations are evolving, along with the tactics and techniques used by attackers. This book is written to help you understand the breadth of content you will need to know to obtain the CEH certification. You will find a lot of concepts to provide you a foundation that can be applied to the skills required for the certification. While you can read this book cover to cover, for a substantial chunk of the subjects getting hands-on experience is essential. The concepts are often demonstrated through the use of tools. Following along with these demonstrations and using the tools yourself will help you understand the tools and how to use them. Many of the demonstrations are done in Kali Linux, though many of the tools have Windows analogs if you are more comfortable there. We can’t get through this without talking about ethics, though you will find it men- tioned several places throughout the book. This is serious, and not only because it’s a huge part of the basis for the certification. It’s also essential for protecting yourself and the people you are working for. The very short version of it is do not do anything that would cause damage to systems or your employer. There is much more to it than that, which you’ll read more about in Chapter 1 as a starting point. It’s necessary to start wrapping your head around the ethics involved in this exam and profession. You will have to sign an agreement as part of achieving your certification. At the end of each chapter, you will find a set of questions. This will help you to dem- onstrate to yourself that you understand the content. Most of the questions are multiple choice, which is the question format used for the CEH exam. These questions, along with the hands-on experience you take advantage of, will be good preparation for taking the exam. xviii Introduction What Is a CEH? The Certified Ethical Hacker (CEH) exam is to validate that those holding the certification understand the broad range of subject matter that is required for someone to be an effective ethical hacker. The reality is that most days, if you are paying attention to the news, you will see a news story about a company that has been compromised and had data stolen, a government that has been attacked, or even enormous denial of service attacks, making it difficult for users to gain access to business resources. The CEH is a certification that recognizes the importance of identifying security issues in order to get them remediated. This is one way companies can protect themselves against attacks—by getting there before the attackers do. It requires someone who knows how to follow techniques that attackers would normally use. Just running scans using automated tools is insufficient because as good as security scanners may be, they will identify false positives—cases where the scanner indicates an issue that isn’t really an issue. Additionally, they will miss a lot of vulnerabilities—false negatives—for a variety of reasons, including the fact that the vulnerability or attack may not be known. Because companies need to understand where they are vulnerable to attack, they need people who are able to identify those vulnerabilities, which can be very complex. Scanners are a good start, but being able to find holes in complex networks can take the creative intelligence that humans offer. This is why we need ethical hackers. These are people who can take extensive knowledge of a broad range of technical subjects and use it to identify vulnerabilities that can be exploited. The important part of that two-word phrase, by the way, is “ethical.” Companies have protections in place because they have resources they don’t want stolen or damaged. When they bring in someone who is looking for vulnerabilities to exploit, they need to be certain that nothing will be stolen or damaged. They also need to be certain that anything that may be seen or reviewed isn’t shared with anyone else. This is especially true when it comes to any vulnerabilities that have been identified. The CEH exam, then, has a dual purpose. It not only tests deeply technical knowledge but also binds anyone who is a certification holder to a code of conduct. Not only will you be expected to know the content and expectations of that code of conduct, you will be expected to live by that code. When companies hire or contract to people who have their CEH certification, they can be assured they have brought on someone with discretion who can keep their secrets and provide them with professional service in order to help improve their security posture and keep their important resources protected. The Subject Matter If you were to take the CEH v10 training, you would have to go through the following modules: Introduction to Ethical Hacking Footprinting and Reconnaissance Introduction xix Scanning Networks Enumeration Vulnerability Analysis System Hacking Malware Threats Sniffing Social Engineering Denial of Service Session Hijacking Evading IDSs, Firewalls, and Honeypots Hacking Web Servers Hacking Web Applications SQL Injection Hacking Wireless Networks Hacking Mobile Platforms IoT Hacking Cloud Computing Cryptography As you can see, the range of subjects is very broad. Beyond knowing the concepts associ- ated with these topics, you will be expected to know about various tools that may be used to perform the actions associated with the concepts you are learning. You will need to know tools like nmap for port scanning, for example. You may need to know proxy-based web application attack tools. For wireless network attacks, you may need to know about the aircrack-ng suite of tools. For every module listed above, there are potentially dozens of tools that may be used. The subject matter of the CEH exam is very technical. This is not a field in which you can get by with theoretical knowledge. You will need to have had experience with the methods and tools that are covered within the subject matter for the CEH exam. What you may also have noticed here is that the modules all fall within the different stages mentioned earlier. While you may not necessarily be asked for a specific methodology, you will find that the contents of the exam do generally follow the methodology that the EC-Council believes to be a standard approach. About the Exam The CEH exam has much the same parameters as other professional certification exams. You will take a computerized, proctored exam. You will have 4 hours to complete 125 questions. That means you will have, on average, roughly 2 minutes per question. xx Introduction The questions are all multiple choice. The exam can be taken through the ECC Exam Center or at a Pearson VUE center. Should you wish to take your certification even further, you could go after the CEH Practical exam. For this exam you must perform an actual penetration test and write a report at the end of it. This demonstrates that in addition to knowing the body of material covered by the exam, you can put that knowledge to use in a practical way. You will be expected to know how to compromise systems and identify vulnerabilities. In order to pass the exam, you will have to correctly answer questions, though the actual number of questions you have to answer correctly will vary. The passing grade varies depending on the difficulty of the questions asked. The harder the questions that are asked out of the complete pool of questions, the fewer questions you need to get right to pass the exam. If you get easier questions, you will need to get more of the questions right to pass. There are some sources of information that will tell you that you need to get 70 percent of the questions right, and that may be okay for general guidance and preparation as a rough low-end marker. However, keep in mind that when you sit down to take the actual test at the testing center, the passing grade will vary. The good news is that you will know whether you passed before you leave the testing center. You will get your score when you finish the exam and you will also get a piece of paper indicating the details of your grade. You will get feedback associated with the differ- ent scoring areas and how you performed in each of them. Who Is Eligible Not everyone is eligible to sit for the CEH exam. Before you go too far down the road, you should check your qualifications. Just as a starting point, you have to be at least 18 years of age. The other eligibility standards are as follows: Anyone who has versions 1–7 of the CEH certification. CEH certification (or exam?) is ANSI certified now, but early versions of the exam were available before the certifica- tion. Anyone who wants to take the ANSI-accredited certification who has the early version of the CEH certification can take the exam. Minimum of two years of related work experience. Anyone who has the experience will have to pay a non-refundable application fee of $100. Have taken an EC-Council training. If you meet these qualification standards, you can apply for the certification, along with paying the fee if it is applicable to you (if you take one of the EC-Council trainings, the fee is included). The application will be valid for three months. Exam Cost In order to take the certification exam, you need to pay for a Pearson VUE exam voucher. The cost of this is $1,199. You could also obtain an EC-Council voucher for Introduction xxi $950, but that requires that you have taken EC-Council training and can provide a Certificate of Attendance. About EC-Council The International Council of Electronic Commerce Consultants is more commonly known as the EC-Council. It was created after the airplane attacks that happened against the United States on 9/11/01. The founder, Jay Bavisi, wondered what would happen if the perpetrators of the attack decided to move from the kinetic world to the digital world. Even beyond that particular set of attackers, the Internet has become a host to a large number of people who are interested in causing damage or stealing i nformation. The economics of the Internet, meaning the low cost of entry into the business, encourage criminals to use it as a means of stealing information, ransoming data, or other malicious acts. The EC-Council is considered to be one of the largest certifying bodies in the world. They operate in 145 countries and have certified more than 200,000 people. In addition to the CEH, the EC-Council also administers a number of other IT-related certifications. They manage the following certifications: Certified Network Defender (CND) Certified Ethical Hacker (CEH) Certified Ethical Hacker Practical EC-Council Certified Security Analyst (ECSA) EC-Council Certified Security Analyst Practical Licensed Penetration Tester (LPT) Computer Hacking Forensic Investigator (CHFI) Certified Chief Information Security Officer (CCISO) One advantage to holding a certification from the EC-Council is that the orga- nization has been accredited by the American National Standards Institute (ANSI). Additionally, and perhaps more importantly for potential certification holders, the certifications from EC-Council are recognized worldwide and have been endorsed by governmental agencies like the National Security Agency (NSA). The Department of Defense Directive 8570 includes the CEH certification. This is important because hav- ing the CEH certification means that you could be quickly qualified for a number of positions with the United States government. The CEH certification provides a bar. This means that there is a set of known standards. In order to obtain the certification, you will need to have met at least the minimal standard. These standards can be relied on consistently. This is why someone with the CEH certifica- tion can be trusted. They have demonstrated that they have met known and accepted stan- dards of both knowledge and professional conduct. xxii Introduction Using This Book This book is structured in a way that foundational material is up front. With this approach, you can make your way in an orderly fashion through the book, one chapter at a time. Technical books can be dry and difficult to get through sometimes, but it’s always my goal to try to make them easy to read and hopefully entertaining along the way. If you already have a lot of experience, you don’t need to take the direct route from beginning to end. You can skip around as you need to. No chapter relies on any other. They all stand alone with respect to the content. However, if you don’t have the foundation and try to jump to a later chapter, you may find yourself getting lost or confused by the material. All you need to do is jump back to some of the foundational chapters. Beyond the foundational materials, the book generally follows a fairly standard meth- odology when it comes to performing security testing. This methodology will be further explained in Chapter 1. As a result, you can follow along with the steps of a penetration test/ethical hacking engagement. Understanding the outline and reason for the methodol- ogy will also be helpful to you. Again, though, if you know the material, you can move around as you need to. Objective Map Table I.1 contains an objective map to show you at a glance where you can find each objec- tive covered. While there are chapters listed for all of these, there are some objectives that are scattered throughout the book. Specifically, tools, systems, and programs get at least touched on in most of the chapters. Ta b l e I.1 Objective Map Objective Chapter Tasks 1.1 Systems development and management 7, 14 1.2 Systems analysis and audits 4, 5, 6, 7 1.3 Security testing and vulnerabilities 7, 8 1.4 Reporting 1, 7 1.5 Mitigation 7, 8 1.6 Ethics 1 Introduction xxiii Objective Chapter Knowledge 2.1 Background 2, 3 2.2 Analysis/assessment 2, 11 2.3 Security 3, 13, 14 2.4 Tools, systems, programs 4, 5, 6, 7 2.5 Procedures/methodology 1, 4, 5, 6, 7, 14 2.6 Regulation/policy 1, 14 2.7 Ethics 1 On the Day of the Exam Plan to arrive at your test center at least 30 minutes before your exam start time. To check in, you’ll need to: Show two (2) valid, unexpired forms of personal ID (examples include: government issued IDs, passport, etc.). Both must have your signature, and one of the two must have your photo. For more information about acceptable IDs please visit: https:// www.isc2.org/Register-for-Exam, and look under the What You Need to Bring to the Test Center tab for more information. Provide your signature. Submit to a palm vein scan (unless it’s prohibited by law). Have your photo taken. Hats, scarves, and coats may not be worn for your photo. You also can’t wear these items in the test room. The Test Administrator (TA) will give you a short orientation. If you have already arranged for special accommodations for your testing, and (ISC)2 and Pearson VUE have approved them, be sure to go over these with the TA. Then, the TA will escort you to a computer terminal. Let’s Get Started! This book is structured in a way that you will be led through foundational concepts and then through a general methodology for ethical hacking. You can feel free to select your own path- way through the book. Remember, wherever possible, get your hands dirty. Get some experi- ence with tools, tactics, and procedures that you are less familiar with. It will help you a lot. Take the self-assessment. It may help you get a better idea how you can make the best use of this book. Assessment Test 1. Which header field is used to reassemble fragmented IP packets? A. Destination address B. IP identification C. Don’t fragment bit D. ToS field 2. If you were to see the following in a packet capture, what would you expect was happening? ‘ or 1=1; A. Cross-site scripting B. Command injection C. SQL injection D. XML external entity injection 3. What method might you use to successfully get malware onto a mobile device? A. Through the Apple Store or Google Play Store B. External storage on an Android C. Third-party app store D. Jailbreaking 4. What protocol is used to take a destination IP address and get a packet to a destination on the local network? A. DHCP B. ARP C. DNS D. RARP 5. What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes? A. Heap spraying B. SQL injection C. Buffer overflow D. Slowloris attack 6. If you were to see the subnet mask 255.255.248.0, what CIDR notation (prefix) would you use to indicate the same thing? A. /23 B. /22 C. /21 D. /20 Assessment Test xxv 7. What is the primary difference between a worm and a virus? A. A worm uses polymorphic code B. A virus uses polymorphic code C. A worm can self-propagate D. A virus can self-propagate 8. How would you calculate risk? A. Probability * loss B. Probability * mitigation factor C. (Loss + mitigation factor) * (loss/probability) D. Probability * mitigation factor 9. How does an evil twin attack work? A. Phishing users for credentials B. Spoofing an SSID C. Changing an SSID D. Injecting four-way handshakes 10. In order to remove malware in the network before it gets to the endpoint, you would use which of the following? A. Antivirus B. Application layer gateway C. Unified threat management appliance D. Stateful firewall 11. What is the purpose of a security policy? A. Providing high-level guidance on the role of security B. Providing specific direction to security workers C. Increasing the bottom line of a company D. Aligning standards and practices 12. What has been done to the following string? %3Cscript%3Ealert(‘wubble’);%3C/ script%3E A. Base64 encoding B. URL encoding C. Encryption D. Cryptographic hashing 13. What would you get from running the command dig ns domain.com? A. Mail exchanger records for domain.com B. Name server records for domain.com C. Caching name server for domain.com D. IP address for the hostname ns xxvi Assessment Test 14. What technique would you ideally use to get all of the hostnames associated with a domain? A. DNS query B. Zone copy C. Zone transfer D. Recursive request 15. If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at? A. Tunneling attack B. DNS amplification C. DNS recursion D. XML entity injection 16. What would be the purpose of running a ping sweep? A. You want to identify responsive hosts without a port scan. B. You want to use something that is light on network traffic. C. You want to use a protocol that may be allowed through the firewall. D. All of the above. 17. How many functions are specified by NIST’s cybersecurity framework? A. 0 B. 3 C. 5 D. 4 18. What would be one reason not to write malware in Python? A. Python interpreter is slow. B. Python interpreter may not be available. C. There is inadequate library support. D. Python is a hard language to learn. 19. If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5 A. Traffic just from 192.168.10.5 B. Traffic to and from 192.168.10.5 C. Traffic just to 192.168.10.5 D. All traffic other than from 192.168.86.5 Assessment Test xxvii 20. What is Diffie-Hellman used for? A. Key management B. Key isolation C. Key exchange D. Key revocation 21. Which social engineering principle may allow a phony call from the help desk to be effective? A. Social proof B. Imitation C. Scarcity D. Authority 22. How do you authenticate with SNMPv1? A. Username/password B. Hash C. Public string D. Community string 23. What is the process Java programs identify themselves to if they are sharing procedures over the network? A. RMI registry B. RMI mapper C. RMI database D. RMI process 24. What do we call an ARP response without a corresponding ARP request? A. Is-at response B. Who-has ARP C. Gratuitous ARP D. IP response 25. What are the three times that are typically stored as part of file metadata? A. Moves, adds, changes B. Modified, accessed, deleted C. Moved, accessed, changed D. Modified, accessed, created xxviii Assessment Test 26. Which of these is a reason to use an exploit against a local vulnerability? A. Pivoting B. Log manipulation C. Privilege escalation D. Password collection 27. What principle is used to demonstrate that a signed message came from the owner of the key that signed it? A. Non-repudiation B. Non-verifiability C. Integrity D. Authority 28. What is a viable approach to protecting against tailgaiting? A. Biometrics B. Badge access C. Phone verification D. Man traps 29. Why is bluesnarfing potentially more dangerous than bluejacking? A. Bluejacking sends while bluesnarfing receives. B. Bluejacking receives while bluesnarfing sends. C. Bluejacking installs keyloggers. D. Bluesnarfing installs keyloggers. 30. Which of the security triad properties does the Biba security model relate to? A. Confidentiality B. Integrity C. Availability D. All of them Answers to Assessment Test 1. B. The destination address is used as the address to send messages to. The don’t fragment bit is used to tell network devices not to fragment the packet. The Type of Service (ToS) field can be used to perform quality of service. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number. 2. C. A SQL injection attack makes use of SQL queries, which can include logic that may alter the flow of the application. In the example provided, the intent is to force the result of the SQL query to always return a true. It is quoted the way it is to escape the existing query already in place in the application. None of the other attacks use a syntax that looks like the example. 3. C. The Apple App Store and the Google Play Store are controlled by Apple and Google. It’s not impossible to get malware onto mobile devices that way, but it’s very difficult because apps get run through a vetting process. While some Android devices will support external storage, it’s not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed but it’s not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don’t vet apps that are submitted. 4. B. DHCP is used to get IP configuration to endpoints. DNS is used to resolve a hostname to an IP address and vice versa. RARP is the reverse address protocol used to take a MAC address and resolve it to an IP address. ARP is used to resolve an IP address to a MAC address. Communication on a local network requires the use of a MAC address. The IP address is used to get to systems off the local network. 5. C. Heap spraying uses dynamically allocated space to store attack code. A slowloris attack is used to hold open web server connection buffers. A SQL injection will be used to inject SQL queries to the database server. A buffer overflow sends more data into the application than space has been allocated for. 6. B. A /23 network would be 255.255.254.0. A /22 would be 255.255.252. A /20 would be 255.255.240.0. Only a /21 would give you a 255.255.248.0 subnet mask. 7. C. Both worms and viruses could be written to use polymorphic code, which means they could modify what they look like as they propagate. A worm, though, could self-propagate. It’s the one distinction between worms and viruses. Viruses require some intervention on the part of the user to propagate and execute. 8. A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified so it could be put into a risk calculation. 9. B. An evil twin attack uses an access point masquerading to be the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make connections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin xxx Answers to Assessment Test attacks work. SSIDs don’t get changed as part of an evil twin attack, meaning no SSID that exists will become another SSID. Injecting four-way handshakes won’t do much, since four- way assumes both ends are communicating, so the injection of a full communication stream will get ignored. 10. C. Antivirus solutions are used on endpoints or maybe on email servers. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus. 11. A. Standards and practices should be derived from a security policy, which is the high- level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures. 12. B. Base64 encoding takes non-printable characters and encodes them in a way that they can be rendered in text. Encryption would generally render text unreadable to people. A cryptographic hash is a way of generating a fixed-length value to identify a value. URL encoding takes text and uses hexadecimal values to represent the characters. This is text that has been converted into hexadecimal so they can be used in a URL. 13. B. Mail exchanger records would be identified as MX records. A name server record is identified with the tag NS. While an enterprise may have one or even several caching name servers, the caching name server wouldn’t be said to belong to the domain since it doesn’t have any domain identification associated with it. 14. C. A DNS query can be used to identify an IP address from a hostname or vice versa. You could potentially use a brute-force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer. 15. A. Tunneling attacks can be used to hide one protocol inside another. This may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recur- sion is used to look up information from DNS servers. An XML entity injection attack is a web-based attack and wouldn’t be found inside a DNS request. 16. D. There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol and there is a chance it will be allowed through the firewall, since it’s used for troubleshooting and diagnostics. 17. C. The NIST cybersecurity framework specifies five functions—identify, protect, detect, response, recover. 18. B. Python interpreters may be considered to be slower to execute than a compiled program, however the difference is negligible and generally speed of execution isn’t much of a con- cern when it comes to malware. Python is not a hard language to learn and there are a lot Answers to Assessment Test xxxi of community-developed libraries. One challenge, though, is that you may need a Python interpreter, unless you go through the step of getting a Python compiler and compiling your script. Windows systems wouldn’t commonly have a Python interpreter installed. 19. B. The expression host 192.168.10.5 is BPF indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest. 20. C. Certificates can be revoked but that’s not what Diffie-Hellman is used for. Key man agement is a much broader topic than what Diffie-Hellman is used for. Diffie-Hellman is used for key exchange. It is a process that allows parties to an encrypted conversation to mutually derive the same key starting with the same base value. 21. D. While you might be imitating someone, imitation is not a social engineering principle. Neither social proof nor scarcity are at play in this situation. However, if you are calling from the help desk, you may be considered to be in a position of authority. 22. D. SNMPv3 implemented username and password authentication. With version 1, you used a cleartext community string. SNMP doesn’t use hashes and while the word “pub- lic” is often used as a community string, a public string is not a way to authenticate with SNMPv1. 23. A. Interprocess communications across systems using a network is called remote method invocation. The process that programs have to communicate with to get a dynamic port allocation is the RMI registry. This is the program you query to identify services that are available on a system that has implemented RMI. 24. C. When an ARP response is sent without a corresponding ARP request, it’s an unexpected or unnecessary message, so it is a gratuitous ARP. 25. D. There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file, expecting to modify it but not ending up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC like modified, accessed, and created, those are not tasks associated with file times. 26. C. Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be “local” to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect pass- words since you don’t need a vulnerability to do that. Similarly, you don’t need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions. 27. A. Integrity is part of the CIA triad but isn’t the principle that ties a signed message back to the subject of the signing certificate. Non-verifiability is nonsense and authority isn’t rel- evant here. Instead, non-repudiation means someone can’t say they didn’t send a message if it was signed with their key and that key was in their possession and password-protected. xxxii Answers to Assessment Test 28. D. Biometrics and badge access are forms of physical access control. Phone verification could possibly be used as a way of verifying identity but it won’t protect against tailgating. A man trap, however, will protect against tailgating because a man trap only allows one person in at a time. 29. B. Bluesnarfing is an attack that connects to a Bluetooth device in order to grab data from that device. Bluejacking can be used to send information to a Bluetooth device that is receiving from the attacker, such as a text message. Neither of these attacks install keylog- gers. The victim device sends information to the attacker in a bluesnarfing attack. 30. B. The Biba security model covers data integrity. While other models cover confidentiality, none of them cover availability. $&)W$FSUJGJFE&UIJDBM)BDLFS4UVEZ(VJEF By Ric Messier $PQZSJHIU¥CZ+PIO8JMFZ4POT *OD Chapter Ethical Hacking 1 The following CEH exam topics are covered in this chapter: ✓✓ Professional code of conduct ✓✓ Appropriateness of hacking Welcome to the exciting world of information security and, specifically, the important world of what is referred to as ethical hacking. You’re here because you want to take the exam that will get you the Certified Ethical Hacker (CEH) certification. Perhaps you have done the training from EC-Council, the organization that manages the CEH, and you want a resource with a different perspective to help you as you prepare for the exam. Or you’ve decided to go the self-study route and you have enough experience to qualify for the exam. One way or another, you’re here now, and this book will help you improve your under- standing of the material to prepare for the exam. The exam covers a wide range of topics, often at a deeply technical level, so you really need to have a solid understanding of the material. This is especially true if you choose to go on to the practical exam. This chapter, however, will be your starting point, and there is nothing technical here. In it, you’ll get a chance to understand the foundations of the entire exam. First, you’ll learn just what ethical hacking is, as well as what it isn’t. The impor- tant part of the term ethical hacking is the ethical part. When you take the exam, you will be expected to abide by a code. It’s essential to understand that code so you can live by it throughout your entire career. Finally, you’ll learn what EC-Council is, as well as the format and other details of the exam that will be useful to you. While some of it may seem trivial, it can be helpful to get a broader context for why the exam was created and learn about the organization that runs it. Personally, I find it useful to understand what’s underneath something rather than experience it at a superficial level. As a result, you’ll get the macro explanation and you can choose to use it or not, depending on whether you find it helpful. It won’t be part of the exam, but it may help you understand what’s behind the exam so you understand the overall intentions. Overview of Ethics Before we start talking about ethical hacking, I will cover the most important aspect of that, which is ethics. You’ll notice it’s not referred to as “hacking ethically.” It’s ethical hacking. The important part is in the front. Ethics can be a challenging subject because you will find that it is not universal. Different people have different views of what is ethi- cal and what is not ethical. It’s essential, though, that you understand what ethics are and what is considered ethical and unethical from the perspective of the Certified Ethical Hacker certification. This is a critical part of the exam and the certification. After all, Overview of Ethics 3 you are being entrusted with access to sensitive information and critical systems. To keep yourself viable as a professional, you need to behave and perform your work in an ethical manner. Not only will you be expected to behave ethically, you will be expected to adhere to a code of ethics. As part of the code of ethics, you will be sworn to keep information you obtain as part of your work private, paying particular attention to protecting the information and intel- lectual property of employers and clients. When you are attacking systems that belong to other people, you could be provided with internal information that is sensitive. You could also come across some critical information vital to the organization for which you are working. Failing to protect any of that data violates the code of ethics by compromising the confidentiality of that information. You are expected to disclose information that needs to be disclosed to the people who have engaged your services. This includes any issues that you have identified. You are also expected to disclose potential conflicts of interest that you may have. It’s important to be transparent in your dealings and also do the right thing when it comes to protecting your clients, employers, and their business interests. Additionally, if you come across something that could have an impact on a large number of people across the Internet, you are expected to disclose it in a responsible manner. This doesn’t mean disclosing it in a public forum. It means working with your employer, any vendor that may be involved, and any computer emergency response team (CERT) that may have jurisdiction over your findings. For examples of responsible disclosure, look at the work of Dan Kaminsky. He has found serious flaws in the implementations of the Domain Name System (DNS), which impacts everyone on the Internet. He worked responsibly with vendors to ensure that they had time to fix their implementations and remediate the vulnerabilities before he disclosed them. In the end, he did disclose the vulnerabilities in a very public manner, but only after vendors had time to fix the issue. This meant he wasn’t putting people in the path of com- promise and potential information disclosure. Even though he was using the software in a way that it wasn’t intended to be used, he was using an ethical approach by attempting to address an issue before someone could make use of the issue in a malicious way. As you perform work, you will be given access to resources provided by the client or company. Under the code of ethics you will need to agree to, you cannot misuse any of the equipment. You can’t damage anything you have access to as part of your employment or contract. There will be times when the testing you are performing may cause damage to a service provided by the infrastructure of the company you are working for or with. As long as this is unintentional or agreed to be acceptable by the company, this is okay. One way to alleviate this concern is to keep lines of communication open at all times. If it happens that an unexpected outage occurs, ensuring that the right people know so it can be remedied is essential. Perhaps it goes without saying, but you are not allowed to engage in any illegal actions. Similarly, you cannot have been convicted of any felony or violate any laws. Along the same lines, though it’s not directly illegal, you can’t be involved with any group that may be considered “black hat,” meaning they are engaged in potentially illegal activities, such as attacking computer systems for malicious purposes. 4 Chapter 1 Ethical Hacking Colorful Terminology You may regularly hear the terms white hat, black hat, and gray hat. White hat hackers are people who always do their work for good. Black hat hackers, probably not surprisingly, are people who do bad things, generally actions that are against the law. Gray hat hack- ers, though, fall in the middle. They are working for good, but they are using the tech- niques of black hat hackers. Communication is also important when you embark on an engagement, regardless of whether you are working on contract or are a full-time employee. When you are taking on a new engagement, it’s essential to be clear about the expectations for your services. If you have the scope of your services in writing, everything is clear and documented. As long as what you are being asked to do is not illegal and the scope of activities falls within systems run by the company you are working for, your work would be considered ethical. If you stray outside of the scope of systems, networks, and services, your actions would be considered unethical. When you keep your interactions professional and ensure that it’s completely clear to your employer what you are doing, as long as your actions are against systems belonging to your employer, you should be on safe ground ethically. Overview of Ethical Hacking These days, it’s hard to look at any source of news without seeing something about data theft, Internet-based crime, or various other attacks against people and businesses. What we see in the news, actually, are the big issues, with large numbers of records compromised or big companies breached. What you don’t see is the number of system compromises where the target of the attack is someone’s personal computer or other device. Consider, for example, the Mirai botnet, which infected smaller, special-purpose devices running an embedded implementation of Linux. The number of devices thought to have been compromised and made part of that botnet is well over 100,000, with the possibility of there being more than one million. Each year, millions of new pieces of malware are created, often making use of new vulnerabilities that have been discovered. Since 2005, there has not been a year without at least 10 million data records compromised. In the year 2017, nearly 200 million records were compromised. These numbers are just from the United States. To put this into per- spective, there are only about 250 million adults in the United States, so it’s safe to say that every adult has had their information compromised numerous times. To be clear, the data records that we’re talking about belong to individual people and not to businesses. There is minimal accounting of the total value of intellectual property that may have been stolen, but it’s clear that the compromise has been ongoing for a long time. Methodology of Ethical Hacking 5 All of this is to say there is an urgent need to improve how information security is han- dled. It’s believed that to protect against attacks, you have to be able to understand those attacks. Ideally, you need to replicate the attacks. If businesses are testing attacks against their own infrastructure early and often, those businesses could be in a better position to improve their defenses and keep the real attackers out. This type of testing is what ethical hacking really is. It is all about ferreting out prob- lems with a goal of improving the overall security posture of the target. This may be for a company in terms of their infrastructure or even desktop systems. It may also be performing testing against software to identify bugs that can be used to compromise the software and, subsequently, the system where the software is running. The aim is not to be malicious but to be on the “good” side to make the situation better. This is some- thing you could be hired or contracted to perform for a business. They may have a set of systems or web applications they want tested. You could also have software that needs to be tested. There are a lot of people who perform testing on software—both commercial and open source. Ethical hacking can be done under many different names. You may not always see the term ethical hacking, especially when you are looking at job titles. Instead, you will see the term penetration testing. It’s essentially the same thing. The idea of a penetration test is to attempt to penetrate the defenses of an organization. That may also be the goal of an ethi- cal hacker. You may also see the term red teaming, which is generally considered a specific type of penetration test where the testers are adversarial to the organization and network under test. A red teamer would actually act like an attacker, meaning they would try to be stealthy so as not to be detected. One of the challenging aspects of this sort of activity is having to think like an attacker. Testing of this nature is often challenging and requires a different way of thinking. When doing any sort of testing, including ethical hacking, a methodology is important, as it helps ensure that your actions are both repeatable and verifiable. There are a number of meth- odologies you may come across. Professionals who have been doing this type of work for a while may have developed their own style. However, they will often follow common steps, such as the ones I am going to illustrate as we move through the chapter. EC-Council helps to ensure that this work is done ethically by requiring anyone who has obtained the Certified Ethical Hacker (CEH) certification to agree to a code of conduct. This code of conduct holds those who have their CEH certification to a set of standards ensuring that they behave ethically, in service to their employers. They are expected to not do harm and to work toward improving the security posture rather than doing damage to that posture. Methodology of Ethical Hacking The basic methodology is meant to reproduce what real-life attackers would do. Companies can shore up their security postures using information that comes from each stage covered here. 6 Chapter 1 Ethical Hacking Reconnaissance and Footprinting Reconnaissance is where you gather information about your target. You want to under- stand the scope of your endeavor up front, of course. This will help you narrow your actions so you aren’t engaging in anything that could be unethical. You’ll have some sense of who your target is, but you may not have all the details. Gathering the details of your target is one of the reasons for performing reconnaissance. Another reason is that while there is a lot of information that has to be public just because of the nature of the Internet and the need to do business there, you may find information leaked to the rest of the world that the organization you are working for would do better to lock down. The objective of reconnaissance and footprinting is determining the size and scope of your test. Footprinting is just getting an idea of the “footprint” of the organization, mean- ing the size and appearance. This means trying to identify network blocks, hosts, locations, and people. The information gathered here will be used later as you progress through addi- tional stages. Keep in mind that while you are looking for details about your target, you will find not only network blocks, which may exist within enterprise networks, but also potentially single hosts, which may belong to systems that are hosted with a service provider. As these systems will run services that may provide entry points or just house sensitive data, it’s necessary to keep track of everything you gather and not limit yourself to information available about network blocks that the company may have. In the process of doing this work, you may also turn up personal information belonging to employees at your target. This will be useful when it comes to social engineering attacks. These sorts of attacks are commonplace. In fact, some estimates suggest that 80 to 90 percent of infiltrations are a result of these social engineering attacks. They are not the only means of accessing networks, but they are commonly the easiest way in. Scanning and Enumeration Once you have network blocks identified, you will want to identify systems that are acces- sible within those network blocks; this is the scanning and enumeration stage. More impor- tant, however, you will want to identify services running on any available host. Ultimately, these services will be used as entry points. The objective is to gain access, and that may be possible through exposed network services. This includes not only a list of all open ports, which will be useful information, but also the identity of the service and software running behind each open port. This may also result in gathering information that different services provide. This includes the software providing the service, such as nginx, Apache, or IIS for a web server. Additionally, there are services that may provide a lot of details about not only the software but about the internals of the organization. This may be usernames, for instance. Some Simple Mail Transfer Protocol (SMTP) servers will give up valid usernames if they are queried correctly. Windows servers using the Server Message Block (SMB) protocol or the Common Internet File System (CIFS) protocol can be asked for information. You can get details like the directories being shared, usernames, and even some policy information. The Methodology of Ethical Hacking 7 objective of this phase is to gather as much information as you can to have starting points for when you move into the next phase. This phase can be time-consuming, especially as the size of the network and enterprise you are working with grows. The more details you can gather here, the easier the next stage will be for you. Gaining Access Gaining access is what many people consider to be the most important part of a penetra- tion test, and for many, it’s the most interesting. This is where you can demonstrate that some services are potentially vulnerable. You do that by exploiting the service. There are no theoretical or false positives when you have compromised a system or stolen data and you can prove it. This highlights one of the important aspects of any ethical hacking: documen- tation. Just saying, “Hey, I did this” isn’t going to be sufficient. You will need to demon- strate or prove in some way that you did manage to compromise the system. Technical attacks, like those looking for vulnerabilities in listening network services, are sometimes thought of as how systems get compromised, but the reality is that social engi- neering attacks are far more likely to be the way attackers gain access to systems. This is one of the reasons why enumeration is important—because you need targets for social engineer- ing attacks. There are a number of ways to perform social engineering attacks, including using email to either infect a machine with malware or get the user to provide information that can be used in other ways. This may be the username and password, for instance. Another mechanism for gathering information from users is to get them to visit a web- site. This may be a website that you, as the attacker, have loaded with malicious software that will infect their systems. Or, as before, you may be asking them for information. You’ve seen malware mentioned twice here. Understanding how malware works and where it can be used can be an important part of gaining access. You will not always be asked to perform social engineering attacks. Companies may be handling security awareness, which commonly includes awareness of social engineering attacks, in other ways and not want or expect you to do phishing attacks or web-based attacks. Therefore, you shouldn’t rely on using these techniques, in spite of the comparative ease of doing so, to get access to systems. Maintaining Access Once you are in, emulating common attack patterns means that you should maintain access. If you’ve managed to compromise a user’s system, when the user shuts the system down, you will lose access. This may mean that you will need to re-compromise the system. Since exploits are not always guaranteed to be effective, you may well not get in the next time you attempt the compromise. Beyond that, you may have used a compromise that relied on a vulnerability that was fixed. Your next attempt may fail because the vulnerability is no longer there. You need to give yourself other means to get into the system so you can make sure you retain the ability to see what is happening on that system and potentially the enterprise network overall. 8 Chapter 1 Ethical Hacking This is another stage where malware can be beneficial. You may need to install a rootkit, for example, that can provide you with a backdoor as well as the means to obscure your actions and existence on the system. You may need to install additional software on the system to maintain access. This may require copying the software onto your target system once you have done the initial compromise. Therefore, this stage isn’t as simple as perhaps it seems. There may be a number of fac- tors that get in the way of ensuring that you maintain access. There are, though, a number of ways of maintaining access. Different operating systems allow for different techniques, but each operating system version or update can make different techniques harder. Ethical hacking is dependent on the circumstances, which is part of what makes it challenging. There are no single answers or straightforward approaches. One Windows 10 system may be easily compromised because there are patches that are available but missing. Another Windows 10 system may be difficult to get into because it is up to date and it has been locked down with permissions and other settings. Covering Tracks Covering your tracks is where you hide or delete any evidence to which you managed to get access. Additionally, you should cover up your continued access. This can be accomplished with malware that ensures that your actions aren’t logged or perhaps misreports system information, like network connections. One thing to keep in mind when you are trying to cover your tracks is that sometimes your actions may also provide evidence of your work. One example is that wiping logs on a Windows system will leave a log entry indicating that the logs have been wiped. This may be an indication to anyone watching the logs that someone tried to erase evidence. It’s not a guarantee that the log wipe was malicious, but it may be enough to prompt someone to investigate further. Because of this, covering tracks can be challenging. This may, though, be exactly what you’ve been asked to do—challenge and test the response capabilities of the operations team. As a result, it’s always important to keep in mind the objectives of your engagement. Summary It’s hard to overstate the importance of ethics. You will be expected to adhere to a code of ethics when you sign up for your CEH certification and pass your exam. You’ll need to act in a professional manner at all times with your clients and employers. You will need to be a responsible custodian of any data entrusted to you. $&)W$FSUJGJFE&UIJDBM)BDLFS4UVEZ(VJEF By Ric Messier $PQZSJHIU¥CZ+PIO8JMFZ4POT *OD Chapter Networking 2 Foundations The following CEH exam topics are covered in this chapter: ✓✓ Networking technologies ✓✓ Communications protocols ✓✓ Telecommunications technologies ✓✓ Network topologies ✓✓ Subnetting While it may not look like there are a lot of topics that are covered in the exam in this chapter, what is covered is foun- dational for much of what comes later. After all, unless you are sitting at the computer you are attacking, which would be very uncommon, you’re going to be interacting with the network. In some cases, the different attacks, and cer- tainly the defenses, will make use of networking technologies and communications protocols. To understand how networks function, it may be helpful to have a conceptual under- standing of how the protocols fit together. There is one conceptual model used to describe communications protocols and their functions. There is another way of describing these functions, sometimes called a model but it’s more of an as-built architectural design. In this chapter, I’ll cover both the Open Systems Interconnection (OSI) model and the TCP/IP architecture. You will be expected to understand network topologies. Topologies are generally con- ceptual and can be used as a way of logically organizing systems to see how they are con- nected. This will start us down the path of talking about the physical elements of networks, including how they are addressed. Ultimately, when we are networking systems, we want them to be able to communicate with one another. To do that, each system needs to have a way for others to address it. As you will see, each system will have multiple addresses. This refers back to the models mentioned earlier because the different addresses are ways of communicating with the different functions at different layers. As we move up the network stacks from the physical components, we’ll start talk- ing about the protocols you are perhaps most familiar with: Internet Protocol (IP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). These will be the foundational protocols you will need a solid understanding of for not only testing sys- tems but also providing guidance as to how different vulnerabilities may be remediated by companies you are working for. One common approach to providing information technology services in companies, especially if the services are to external users or customers, is to use service providers. Cloud computing can be used as an implementation of this type of outsourcing. Making use of these service providers and working with organizations that have placed systems and services with them introduces some specific challenges to someone performing security assessments or penetration tests. This means that understanding how these external service providers work can be essential. Communications Models 11 Communications Models We access systems through their addresses. The problem is that each system will have multiple addresses. These addresses are best separated into buckets related to the function- ality provided by the protocol each address belongs to. The first communications model, from the standpoint of what we’ll be talking about but also from the standpoint of history, meaning it essentially came first, is more conceptual than strictly practical. I will follow up with a practical model. These communications models are broken into layers, and the layers are stacked on top of one another. Because it shows up as a stack of tiers, you will often hear them referred to as network stacks or protocol stacks. One important aspect to consider when it comes to these network stacks is that the layers are all separate and the functionality is distinct. When two systems are talking, each has these notional layers, and layer C on the first sys- tem can only talk to layer C, not layers B, A, or D, on the second system. This is because the protocols at layer C on both systems match. The same is true for the other protocols. As an example, you can see a set of network headers in Figure 2.1. The layer/function that gen- erated this set of headers on the sending side can only be read by the same layer/function on the receiving side. F i g u r e 2.1 Network headers 12 Chapter 2 Networking Foundations Protocols Perhaps before going too much further, I should define what a protocol is. A protocol is a set of rules or conventions that dictate communication. When you meet someone you know on the street, you may nod or say hello. They will likely return your greeting. This is a protocol. You know what you should say or do and the other side of the communication knows what the response is. Computers are essentially the same—they know sets of rules and expected behaviors. Without these protocols, you could greet your acquaintance by sticking your little finger into your ear and the other person could remove a shoe and throw it at you. This would be a protocol mismatch and neither of you would have any idea what the appropriate response is because they don’t know what the initial communi- cation attempt meant. As we go through the two communications models, I’ll talk about not only the functions that exist at each layer, but also the protocols that exist at each layer. When we’re done, you’ll have two different, but not dissimilar, ways of understanding how protocols commu- nicate across systems and how messages between systems/applications are put together. Dissecting the functions of network communications into layers means the functions are modularized. This means that it can be easy to extract one protocol from the chain and insert another one. The same applications work over Ethernet, for example, as the ones that travel over SONET or Frame Relay. All these protocols exist at the same layer. This works because the functionality of each layer is abstracted, meaning layers can communicate with each other without needing to know the details because the functionality is known. The individual protocols don’t matter, necessarily. There are many different protocols for each of the layers, no matter which model we are talking about. Open Systems Interconnection Prior to the late 1970s, communications systems used proprietary protocols, making it harder to conceptualize what was happening. Each protocol defined different com- munications in different ways. In the late 1970s, the International Organization for Standardization (ISO) began a process to define a set of standards for communication. The idea behind this was to allow for better interoperability between vendors. If all the functions are broken out conceptually, the interface points are clearer and, as such, easier to interact with. In 1978, an initial model was announced. After refinements, it was published as the OSI model. While there were concerns about the complexity of this model and the chance that it was unlikely to be implemented, it remains a solid model to help refer to boundaries between functions within a network stack. The OSI model includes seven layers. When indicating a particular functionality, network professionals may make reference to the function by the layer number. We’ll see how this works shortly. Communications Models 13 Figure 2.2 shows the seven layers of the OSI model. In talking about the model, we typi- cally start at the ground floor and work our way up to the penthouse. At the very bottom of the model is where you connect to the network. At the top is where you interact with the user. Figure 2.2 The seven layers of the OSI model Application Presentation Session Transport Network Data Link Physical Since we build messages from the Application layer down, we’re going to start discuss- ing each of the layers and their roles there and move downward. For what it’s worth, though, the various mnemonics that are often used to help people remember the different layers start at the bottom. For example, one of my students once suggested “Please Do Not Touch Steve’s Pet Alligator” to help remember the order. That’s bottom to top, though. Regardless, if you remember either order and then can remember what each of the layers does, you’ll be in good shape. Application (Layer 7) The Application layer is the one closest to the end user. This does not mean that it is the application itself, however. We are talking about protocols. Application layer protocols manage the communication needs of the application. They may identify resources and manage interacting with those resources. As an example, the HyperText Transfer Protocol (HTTP) is an Application layer protocol. It takes care of nego- tiating for resources (pages, etc.) between the client and the server. Presentation (Layer 6) The Presentation layer is responsible for preparing data for the Application layer. It makes sure that the data that is handed up to the application is in the right format so it can be consumed. When systems are communicating, there may be disconnects in formatting between the two endpoints and the Presentation layer makes sure that data is formatted correctly. As such, character encoding formats like the American Standard Code for Information Interchange (ASCII), Unicode, and the Extended 14 Chapter 2 Networking Foundations Binary Coded Decimal Interchange Code (EBCDIC) all belong at the Presentation layer. Additionally, the Joint Photographic Experts Group (JPEG) format is considered to be at the Presentation layer. Session (Layer 5) The Session layer manages the communication between the endpoints when it comes to maintaining the communication of the applications (the client or server). Remote procedure calls (RPCs) are an example of a function at the Session layer. There are components of file sharing that also live at the Session layer, since negotiation of com- munication between the endpoints needs to take place. The Application layer takes care of managing the resources while the Session layer takes care of making sure that files, as an example, are successfully transmitted and complete. Transport (Layer 4) The Transport layer takes care of segmenting messages for transmission. The Transport layer also takes care of multiplexing of the communication. Both the TCP and the UDP are transport protocols. These protocols use ports for address- ing so receiving systems know which application to pass the traffic to. Network (Layer 3) The Network layer gets messages from one endpoint to another. It does this by taking care of addressing and routing. The IP is one protocol that exists at this layer. Data Link (Layer 2) One other address to contend with is the media access control (MAC) address. This is a Layer 2 address, identifying the network interface on the network so communications can get from one system to another on the local network. The Address Resolution Protocol (ARP), virtual local area networks (VLANs), Ethernet, and Frame Relay are Data Link layer protocols. They take care of formatting the data to be sent out on the transmission medium. Physical (Layer 1) This layer probably speaks for itself. This is all the protocols that manage the physical communications. 10BaseT, 10Base2, 100BaseTX, and 1000BaseT are all examples of Physical layer protocols. They dictate how the pulses on the wire are handled. One of the problems with the OSI model is that there are not always good fits when it comes to mapping protocols to the seven layers. The problem often comes in the areas between the Session and Application layers. As an example, at which layer does the Secure Shell (SSH) protocol live? Is it the Session layer because it ultimately manages sessions, or is it the Presentation layer because it includes encryption mechanisms and negotiates them? Other protocols seem to exist between layers. ARP, for instance, is said to operate at the Data Link layer, but it needs to know about the Network layer because it provides the bridge between the addressing in those two layers. However, there are places where having the model makes conceptualizing things much easier. For example, you probably have a device in your home that’s very confusing. You may call it a router, or you may know people who call it a router. The problem is that rout- ing is a layer 3 function, as discussed earlier, and there are other functions in the device that are strictly layer 2, meaning you have switch ports that transmit messages on your Communications Models 15 local network where there is no routing involved. Additionally, it’s entirely possible your device isn’t even doing any routing but instead it may be bridging to your provider’s net- work. It all depends on how your device is working and what your provider is expecting from your device. This is where understanding the different layers is helpful. You can better identify where you may have problems because you can isolate functionality. TCP/IP Architecture In the late 1960s, the ARPAnet was first developed and implemented. Over the next few years, it grew far beyond the initial two and then three nodes that were connected in 1968–69. As more systems were connected to the network, the people responsible for man- aging the network and developing the protocols used to exchange information learned a lot. The initial protocol was the 1822 protocol that defined communications to the Interface Message Processor (IMP), which was a large computer with specialized interfaces acting as a message gateway (think of it as a very primitive router). The 1822 protocol was later replaced by the Network Control Program (NCP). By 1983, after many years of development, the NCP was replaced entirely by a suite of protocols now commonly called Transmission Control Protocol (TCP)/Internet Protocol (IP). The way the suite of protocols used within TCP/IP works is slightly Transmission Control Protocol/Internet Protocol (TCP/IP) way the OSI model is described. After TCP/IP was implemented, the conceptual design of the protocols was described. For this reason, the suite is sometimes referred to as a model, but it may also be referred to as an architecture, since it’s a description of an as-built design rather than something conceptual. The TCP/IP architecture is a much simpler design than the OSI model, which is an immediate difference and a reflection of the as-built nature of the design as compared with the conceptual design of the OSI. Since the OSI model had to be abstract and flexible in order to accommodate a wide variety of protocols and designs, it was broken out into the seven functional categories described earlier. TCP/IP, on the other hand, as an as-built defi- nition, is only four layers. This is not to say that there is no correlation between the OSI model and the TCP/IP architecture. As you can see in Figure 2.3, there is much that is similar between the two. Figure 2.3 The TCP/IP architecture layers Application Transport Internet Link 16 Chapter 2 Networking Foundations You’ll notice the similarities. For a start, there is an Application layer in both. There is also a Transport layer. The Internet and Network layers are named very similarly. Essentially what happens is that the Session, Presentation, and Application layers from the OSI model are collapsed into the Application layer in the TCP/IP model. Additionally, the Physical and Data Link layers from the OSI model are collapsed into the Link layer in the TCP/IP model. The same functions from the collapsed layers exist in the TCP/IP model. Conceptually, though, it’s easier to understand. Anything related to the applica- tion communication, including any session management and data formatting, is in the Application layer. Similarly, in the TCP/IP model, the Physical layer and the Data Link layer are put together. Regardless of which model you prefer to think about networking in, you’ll find that protocols don’t generally sprawl across multiple layers. They are designed to fill the require- ments of a specific function, which will land pretty squarely into one of the layers of each model. In the rest of the chapter, and fairly commonly in the real world in my experience, when you see a reference to layers, the reference is to the OSI model and not the TCP/IP architecture. Topologies The way networks are designed also uses conceptual models, as a way of taking a rat maze of physical networks and mapping them to a logical representation. This is not only about getting a logical map of the network, but also helps to identify how everything is connected since it will help to isolate potential issues. Different topo

CEH v10 Certified Ethical Hacker Study Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue