CEH v10 Certified Ethical Hacker Study Guide E-Book

CEH™ v10Certified Ethical HackerStudy Guide

Development Editor: Kim Wimpsett

Technical Editors: Russ Christy and Megan Daudelin

Senior Production Editor: Christine O'Connor

Copy Editor: Judy Flynn

Editorial Manager: Pete Gaughan

Production Manager: Kathleen Wisor

Associate Publisher: Jim Minatel

Book Designers: Judy Fung and Bill Gibson

Proofreader: Louise Watson, Word One New York

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Cover Image: Getty Images Inc. / Jeremy Woodhouse

Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-53319-1

ISBN: 978-1-119-53325-2 (ebk.)

ISBN: 978-1-119-53326-9 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2019940400

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CEH is a trademark of EC-Council. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

About the Author

Ric Messier, GCIH, GSEC, CEH, CISSP, MS, has entirely too many letters after his name, as though he spends time gathering up strays that follow him home at the end of the day. His interest in information security began in high school but was cemented when he was a freshman at the University of Maine, Orono, when he took advantage of a vulnerability in a jailed environment to break out of the jail and gain elevated privileges on an IBM mainframe in the early 1980s. His first experience with Unix was in the mid-1980s and with Linux in the mid-1990s. Ric is an author, trainer, educator, and security professional with multiple decades of experience. He is currently a Senior Information Security Consultant with FireEye Mandiant and occasionally teaches courses at Harvard University and the University of Colorado Boulder.

CONTENTS

Cover

About the Author

Introduction

Assessment Test

Answers to Assessment Test

Chapter 1 Ethical Hacking

Overview of Ethics

Overview of Ethical Hacking

Methodology of Ethical Hacking

Summary

Chapter 2 Networking Foundations

Communications Models

Topologies

Physical Networking

IP

TCP

UDP

Internet Control Message Protocol

Network Architectures

Cloud Computing

Summary

Review Questions

Chapter 3 Security Foundations

The Triad

Risk

Policies, Standards, and Procedures

Security Technology

Being Prepared

Summary

Review Questions

Chapter 4 Footprinting and Reconnaissance

Open-Source Intelligence

Domain Name System

Passive Reconnaissance

Website Intelligence

Technology Intelligence

Summary

Review Questions

Chapter 5 Scanning Networks

Ping Sweeps

Port Scanning

Vulnerability Scanning

Packet Crafting and Manipulation

Evasion Techniques

Summary

Review Questions

Chapter 6 Enumeration

Service Enumeration

Remote Procedure Calls

Server Message Block

Simple Network Management Protocol

Simple Mail Transfer Protocol

Web-Based Enumeration

Summary

Review Questions

Chapter 7 System Hacking

Searching for Exploits

System Compromise

Gathering Passwords

Password Cracking

Client-Side Vulnerabilities

Post Exploitation

Summary

Review Questions

Chapter 8 Malware

Malware Types

Malware Analysis

Creating Malware

Malware Infrastructure

Antivirus Solutions

Summary

Review Questions

Chapter 9 Sniffing

Packet Capture

Packet Analysis

Spoofing Attacks

Summary

Review Questions

Chapter 10 Social Engineering

Social Engineering

Physical Social Engineering

Phishing Attacks

Website Attacks

Wireless Social Engineering

Automating Social Engineering

Summary

Review Questions

Chapter 11 Wireless Security

Wi-Fi

Bluetooth

Mobile Devices

Summary

Review Questions

Chapter 12 Attack and Defense

Web Application Attacks

Denial of Service Attacks

Application Exploitation

Lateral Movement

Defense in Depth/Defense in Breadth

Defensible Network Architecture

Summary

Review Questions

Chapter 13 Cryptography

Basic Encryption

Symmetric Key Cryptography

Asymmetric Key Cryptography

Certificate Authorities and Key Management

Cryptographic Hashing

PGP and S/MIME

Summary

Review Questions

Chapter 14 Security Architecture and Design

Data Classification

Security Models

Application Architecture

Security Architecture

Summary

Review Questions

Appendix Answers to Review Questions

Chapter 2: Networking Foundations

Chapter 3: Security Foundations

Chapter 4: Footprinting and Reconnaissance

Chapter 5: Scanning Networks

Chapter 6: Enumeration

Chapter 7: System Hacking

Chapter 8: Malware

Chapter 9: Sniffing

Chapter 10: Social Engineering

Chapter 11: Wireless Security

Chapter 12: Attack and Defense

Chapter 13: Cryptography

Chapter 14: Security Architecture and Design

Index

Comprehensive Online Learning Environment

End User License Agreement

List of Tables

Introduction

Table I.1

Chapter 14

Table 14.1

Table 14.2

List of Illustrations

Chapter 2

Figure 2.1 Network headers

Figure 2.2 The seven layers of the OSI model

Figure 2.3 The TCP/IP architecture layers

Figure 2.4 Bus network

Figure 2.5 Star network

Figure 2.6 Ring network

Figure 2.7 Mesh network

Figure 2.8 Full mesh network

Figure 2.9 IP headers

Figure 2.10 TCP headers

Figure 2.11 UDP headers

Figure 2.12 DMZ network

Figure 2.13 Google Drive

Figure 2.14 Amazon Web Services

Figure 2.15 AWS marketplace images

Figure 2.16 Azure Marketplace images

Chapter 3

Figure 3.1 The CIA triad

Figure 3.2 An error message about an apparently invalid certificate

Figure 3.3 Network diagram showing IDS placement

Figure 3.4 Network diagram showing IPS placement

Figure 3.5 Kibana interface to the Elastic Stack

Figure 3.6 Defense in depth network design

Figure 3.7 Event Viewer

Figure 3.8 Audit Policy in Windows

Chapter 4

Figure 4.1 EDGAR site

Figure 4.2 Portion of Schedule 14-A for Microsoft

Figure 4.3 PGP key server search

Figure 4.4 Pipl output

Figure 4.5 www.weknowwhatyouredoing.com

Figure 4.6 Facebook Graph API

Figure 4.7 John Wiley & Sons information

Figure 4.8 Facebook permissions settings

Figure 4.9 LinkedIn job statistics

Figure 4.10 Job requirements for a network security engineer

Figure 4.11 Twitter keys and access tokens

Figure 4.12 Maltego graph from Twitter

Figure 4.13 Job listing with technologies

Figure 4.14 DNS name resolution

Figure 4.15 Recon with R3con

Figure 4.16 Netcraft hosting history

Figure 4.17 Wappalyzer for technology

Figure 4.18 Chrome developer tools

Figure 4.19 Google hacking results

Figure 4.20 Google Hacking Database

Figure 4.21 Shodan search for DNP3

Figure 4.22 Shodan results

Chapter 5

Figure 5.1 MegaPing IP Scanner

Figure 5.2 UDP scan from Wireshark

Figure 5.3 Zenmap scan types

Figure 5.4 Zenmap service output

Figure 5.5 MegaPing scan types

Figure 5.6 MegaPing scan reports

Figure 5.7 Greenbone Security Assistant

Figure 5.8 Creating a target in OpenVAS

Figure 5.9 Creating credentials in OpenVAS

Figure 5.10 OpenVAS scan configs

Figure 5.11 OpenVAS NVT families

Figure 5.12 OpenVAS NVT selections

Figure 5.13 OpenVAS tasks

Figure 5.14 OpenVAS task creation

Figure 5.15 OpenVAS scans dashboard

Figure 5.16 OpenVAS results list

Figure 5.17 Setting an override

Figure 5.18 Scan policies in Nessus

Figure 5.19 Scan configuration settings

Figure 5.20 Credentials configuration settings

Figure 5.21 Scan results list

Figure 5.22 Finding details

Figure 5.23 Remediations list

Figure 5.24 Plugins Rules settings

Figure 5.25 packETH interface

Figure 5.26 Data pattern fill

Figure 5.27 Network layer data fill

Chapter 7

Figure 7.1 Remote Exploits list at exploit-db.org

Figure 7.2 Exploit-DB search results

Figure 7.3 Temporary Internet files in Windows

Figure 7.4 Using alternate data streams in Windows

Chapter 8

Figure 8.1 AV-Test Institute malware statistics

Figure 8.2 ZeuS Builder

Figure 8.3 WannaCry ransom demand

Figure 8.4 Overview of PE in Cutter

Figure 8.5 Portable executable sections

Figure 8.6 Looking for packers

Figure 8.7 Entry point for malware

Figure 8.8 Program disassembly in Cutter

Figure 8.9 Properties on executable

Figure 8.10 VirusTotal results

Figure 8.11 VirusTotal details

Figure 8.12 Cuckoo Sandbox details

Figure 8.13 Cuckoo Sandbox options

Figure 8.14 Cuckoo Sandbox results

Figure 8.15 New IDA session

Figure 8.16 IDA view

Figure 8.17 OllyDbg view

Figure 8.18 Call stack

Figure 8.19 Command and control infrastructure

Chapter 9

Figure 9.1 Wireshark frames list

Figure 9.2 Protocol details

Figure 9.3 TLS Information

Figure 9.4 RSA keys preferences

Figure 9.5 Wireshark home screen

Figure 9.6 Capture filter in Wireshark

Figure 9.7 Packet analysis

Figure 9.8 Relative sequence numbers

Figure 9.9 Follow TCP Stream dialog box

Figure 9.10 Protocol Hierarchy statistics

Figure 9.11 Conversations statistics

Figure 9.12 Expert Information

Figure 9.13 Ettercap host list

Figure 9.14 RSA keys preferences

Chapter 10

Figure 10.1 I Love You virus

Figure 10.2 RFID-based badge

Figure 10.3 Phishing email

Figure 10.4 Wells Fargo phishing email

Figure 10.5 Phishing email with attachment

Figure 10.6 WinHTTrack options

Figure 10.7 Site cloning with WinHTTrack

Figure 10.8 List of Wi-Fi networks

Figure 10.9 wifiphisher SSID selection

Figure 10.10 wifiphisher attack template selection

Chapter 11

Figure 11.1 Wireless ad hoc network

Figure 11.2 Wireless infrastructure network

Figure 11.3 Wireshark capture of radio traffic

Figure 11.4 Multiple BSSIDs for a single SSID

Figure 11.5 Authentication and association steps

Figure 11.6 Four-way handshake for WPA2

Figure 11.7 Wireless configuration under Linux

Figure 11.8 Probe request in Wireshark

Figure 11.9 Radio headers in Wireshark

Figure 11.10 Apple App Store

Chapter 12

Figure 12.1 Model/view/controller design

Figure 12.2 SQL injection attack

Figure 12.3 Command-line injection attack

Figure 12.4 Smurf amplifier registry

Figure 12.5 Low Orbit Ion Cannon

Figure 12.6 Stack frame

Figure 12.7 Buffer overflow

Figure 12.8 Defense in depth network design

Chapter 13

Figure 13.1 English letter normal distribution

Figure 13.2 Vigenère square

Figure 13.3 Diffie-Hellman process

Figure 13.4 Elliptic curve

Figure 13.5 Simple Authority CA creation

Figure 13.6 Certificate creation

Figure 13.7 Certificate Details

Figure 13.8 Certificate error

Figure 13.9 List of PGP keys

Chapter 14

Figure 14.1 Basic state machine

Figure 14.2 Multitier application design

Figure 14.3 IIS application server

Figure 14.4 Entity-relationship diagram

Figure 14.5 Service-oriented architecture

Figure 14.6 AWS service offerings

Figure 14.7 AWS serverless architecture

Figure 14.8 NoSQL database offerings with Azure

Figure 14.9 NIST’s Five Functions

Figure 14.10 Attack life cycle

Guide

Cover

Table of Contents

Introduction

Pages

iii

iv

v

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

Introduction

You’re thinking about becoming a Certified Ethical Hacker (CEH). No matter what variation of security testing you are performing—ethical hacking, penetration testing, red teaming or application assessment—the skills and knowledge necessary to achieve this certification are in demand. Even the idea of security testing and ethical hacking is evolving as businesses and organizations begin to have a better understanding of the adversaries they are facing. It’s no longer the so-called script kiddies that businesses felt they were fending off for so long. Today’s adversary is organized, well-funded, and determined. This means testing requires different tactics.

Depending on who you are listening to, 80–90 percent of attacks today use social engineering. The old technique of looking for technical vulnerabilities in network services is simply not how attackers are getting into networks. Networks that are focused on applying a defense in depth approach, hardening the outside, may end up being susceptible to attacks from the inside, which is what happens when desktop systems are compromised. The skills needed to identify vulnerabilities and recommend remediations are evolving, along with the tactics and techniques used by attackers.

This book is written to help you understand the breadth of content you will need to know to obtain the CEH certification. You will find a lot of concepts to provide you a foundation that can be applied to the skills required for the certification. While you can read this book cover to cover, for a substantial chunk of the subjects getting hands-on experience is essential. The concepts are often demonstrated through the use of tools. Following along with these demonstrations and using the tools yourself will help you understand the tools and how to use them. Many of the demonstrations are done in Kali Linux, though many of the tools have Windows analogs if you are more comfortable there.

We can’t get through this without talking about ethics, though you will find it mentioned several places throughout the book. This is serious, and not only because it’s a huge part of the basis for the certification. It’s also essential for protecting yourself and the people you are working for. The very short version of it is do not do anything that would cause damage to systems or your employer. There is much more to it than that, which you’ll read more about in Chapter 1 as a starting point. It’s necessary to start wrapping your head around the ethics involved in this exam and profession. You will have to sign an agreement as part of achieving your certification.

At the end of each chapter, you will find a set of questions. This will help you to demonstrate to yourself that you understand the content. Most of the questions are multiple choice, which is the question format used for the CEH exam. These questions, along with the hands-on experience you take advantage of, will be good preparation for taking the exam.

What Is a CEH?

The Certified Ethical Hacker (CEH) exam is to validate that those holding the certification understand the broad range of subject matter that is required for someone to be an effective ethical hacker. The reality is that most days, if you are paying attention to the news, you will see a news story about a company that has been compromised and had data stolen, a government that has been attacked, or even enormous denial of service attacks, making it difficult for users to gain access to business resources.

The CEH is a certification that recognizes the importance of identifying security issues in order to get them remediated. This is one way companies can protect themselves against attacks—by getting there before the attackers do. It requires someone who knows how to follow techniques that attackers would normally use. Just running scans using automated tools is insufficient because as good as security scanners may be, they will identify false positives—cases where the scanner indicates an issue that isn’t really an issue. Additionally, they will miss a lot of vulnerabilities—false negatives—for a variety of reasons, including the fact that the vulnerability or attack may not be known.

Because companies need to understand where they are vulnerable to attack, they need people who are able to identify those vulnerabilities, which can be very complex. Scanners are a good start, but being able to find holes in complex networks can take the creative intelligence that humans offer. This is why we need ethical hackers. These are people who can take extensive knowledge of a broad range of technical subjects and use it to identify vulnerabilities that can be exploited.

The important part of that two-word phrase, by the way, is “ethical.” Companies have protections in place because they have resources they don’t want stolen or damaged. When they bring in someone who is looking for vulnerabilities to exploit, they need to be certain that nothing will be stolen or damaged. They also need to be certain that anything that may be seen or reviewed isn’t shared with anyone else. This is especially true when it comes to any vulnerabilities that have been identified.

The CEH exam, then, has a dual purpose. It not only tests deeply technical knowledge but also binds anyone who is a certification holder to a code of conduct. Not only will you be expected to know the content and expectations of that code of conduct, you will be expected to live by that code. When companies hire or contract to people who have their CEH certification, they can be assured they have brought on someone with discretion who can keep their secrets and provide them with professional service in order to help improve their security posture and keep their important resources protected.

The Subject Matter

If you were to take the CEH v10 training, you would have to go through the following modules:

Introduction to Ethical Hacking

Footprinting and Reconnaissance

Scanning Networks

Enumeration

Vulnerability Analysis

System Hacking

Malware Threats

Sniffing

Social Engineering

Denial of Service

Session Hijacking

Evading IDSs, Firewalls, and Honeypots

Hacking Web Servers

Hacking Web Applications

SQL Injection

Hacking Wireless Networks

Hacking Mobile Platforms

IoT Hacking

Cloud Computing

Cryptography

As you can see, the range of subjects is very broad. Beyond knowing the concepts associated with these topics, you will be expected to know about various tools that may be used to perform the actions associated with the concepts you are learning. You will need to know tools like nmap for port scanning, for example. You may need to know proxy-based web application attack tools. For wireless network attacks, you may need to know about the aircrack-ng suite of tools. For every module listed above, there are potentially dozens of tools that may be used.

The subject matter of the CEH exam is very technical. This is not a field in which you can get by with theoretical knowledge. You will need to have had experience with the methods and tools that are covered within the subject matter for the CEH exam. What you may also have noticed here is that the modules all fall within the different stages mentioned earlier. While you may not necessarily be asked for a specific methodology, you will find that the contents of the exam do generally follow the methodology that the EC-Council believes to be a standard approach.

About the Exam

The CEH exam has much the same parameters as other professional certification exams. You will take a computerized, proctored exam. You will have 4 hours to complete 125 questions. That means you will have, on average, roughly 2 minutes per question. The questions are all multiple choice. The exam can be taken through the ECC Exam Center or at a Pearson VUE center.

Should you wish to take your certification even further, you could go after the CEH Practical exam. For this exam you must perform an actual penetration test and write a report at the end of it. This demonstrates that in addition to knowing the body of material covered by the exam, you can put that knowledge to use in a practical way. You will be expected to know how to compromise systems and identify vulnerabilities.

In order to pass the exam, you will have to correctly answer questions, though the actual number of questions you have to answer correctly will vary. The passing grade varies depending on the difficulty of the questions asked. The harder the questions that are asked out of the complete pool of questions, the fewer questions you need to get right to pass the exam. If you get easier questions, you will need to get more of the questions right to pass. There are some sources of information that will tell you that you need to get 70 percent of the questions right, and that may be okay for general guidance and preparation as a rough low-end marker. However, keep in mind that when you sit down to take the actual test at the testing center, the passing grade will vary.

The good news is that you will know whether you passed before you leave the testing center. You will get your score when you finish the exam and you will also get a piece of paper indicating the details of your grade. You will get feedback associated with the different scoring areas and how you performed in each of them.

Who Is Eligible

Not everyone is eligible to sit for the CEH exam. Before you go too far down the road, you should check your qualifications. Just as a starting point, you have to be at least 18 years of age. The other eligibility standards are as follows:

Anyone who has versions 1–7 of the CEH certification. CEH certification (or exam?) is ANSI certified now, but early versions of the exam were available before the certification. Anyone who wants to take the ANSI-accredited certification who has the early version of the CEH certification can take the exam.

Minimum of two years of related work experience. Anyone who has the experience will have to pay a non-refundable application fee of $100.

Have taken an EC-Council training.

If you meet these qualification standards, you can apply for the certification, along with paying the fee if it is applicable to you (if you take one of the EC-Council trainings, the fee is included). The application will be valid for three months.

Exam Cost

In order to take the certification exam, you need to pay for a Pearson VUE exam voucher. The cost of this is $1,199. You could also obtain an EC-Council voucher for $950, but that requires that you have taken EC-Council training and can provide a Certificate of Attendance.

About EC-Council

The International Council of Electronic Commerce Consultants is more commonly known as the EC-Council. It was created after the airplane attacks that happened against the United States on 9/11/01. The founder, Jay Bavisi, wondered what would happen if the perpetrators of the attack decided to move from the kinetic world to the digital world. Even beyond that particular set of attackers, the Internet has become a host to a large number of people who are interested in causing damage or stealing information. The economics of the Internet, meaning the low cost of entry into the business, encourage criminals to use it as a means of stealing information, ransoming data, or other malicious acts.

The EC-Council is considered to be one of the largest certifying bodies in the world. They operate in 145 countries and have certified more than 200,000 people. In addition to the CEH, the EC-Council also administers a number of other IT-related certifications. They manage the following certifications:

Certified Network Defender (CND)

Certified Ethical Hacker (CEH)

Certified Ethical Hacker Practical

EC-Council Certified Security Analyst (ECSA)

EC-Council Certified Security Analyst Practical

Licensed Penetration Tester (LPT)

Computer Hacking Forensic Investigator (CHFI)

Certified Chief Information Security Officer (CCISO)

One advantage to holding a certification from the EC-Council is that the organization has been accredited by the American National Standards Institute (ANSI). Additionally, and perhaps more importantly for potential certification holders, the certifications from EC-Council are recognized worldwide and have been endorsed by governmental agencies like the National Security Agency (NSA). The Department of Defense Directive 8570 includes the CEH certification. This is important because having the CEH certification means that you could be quickly qualified for a number of positions with the United States government.

The CEH certification provides a bar. This means that there is a set of known standards. In order to obtain the certification, you will need to have met at least the minimal standard. These standards can be relied on consistently. This is why someone with the CEH certification can be trusted. They have demonstrated that they have met known and accepted standards of both knowledge and professional conduct.

Using This Book

This book is structured in a way that foundational material is up front. With this approach, you can make your way in an orderly fashion through the book, one chapter at a time. Technical books can be dry and difficult to get through sometimes, but it’s always my goal to try to make them easy to read and hopefully entertaining along the way. If you already have a lot of experience, you don’t need to take the direct route from beginning to end. You can skip around as you need to. No chapter relies on any other. They all stand alone with respect to the content. However, if you don’t have the foundation and try to jump to a later chapter, you may find yourself getting lost or confused by the material. All you need to do is jump back to some of the foundational chapters.

Beyond the foundational materials, the book generally follows a fairly standard methodology when it comes to performing security testing. This methodology will be further explained in Chapter 1. As a result, you can follow along with the steps of a penetration test/ethical hacking engagement. Understanding the outline and reason for the methodology will also be helpful to you. Again, though, if you know the material, you can move around as you need to.

Objective Map

Table I.1 contains an objective map to show you at a glance where you can find each objective covered. While there are chapters listed for all of these, there are some objectives that are scattered throughout the book. Specifically, tools, systems, and programs get at least touched on in most of the chapters.

TABLE I.1Objective Map

Objective

Chapter

Tasks

1.1 Systems development and management

7, 14

1.2 Systems analysis and audits

4, 5, 6, 7

1.3 Security testing and vulnerabilities

7, 8

1.4 Reporting

1, 7

1.5 Mitigation

7, 8

1.6 Ethics

1

Knowledge

2.1 Background

2, 3

2.2 Analysis/assessment

2, 11

2.3 Security

3, 13, 14

2.4 Tools, systems, programs

4, 5, 6, 7

2.5 Procedures/methodology

1, 4, 5, 6, 7, 14

2.6 Regulation/policy

1, 14

2.7 Ethics

1

On the Day of the Exam

Plan to arrive at your test center at least 30 minutes before your exam start time. To check in, you’ll need to:

Show two (2) valid, unexpired forms of personal ID (examples include: government issued IDs, passport, etc.). Both must have your signature, and one of the two must have your photo. For more information about acceptable IDs please visit:

https://www.isc2.org/Register-for-Exam

, and look under the What You Need to Bring to the Test Center tab for more information.

Provide your signature.

Submit to a palm vein scan (unless it’s prohibited by law).

Have your photo taken. Hats, scarves, and coats may not be worn for your photo. You also can’t wear these items in the test room.

The Test Administrator (TA) will give you a short orientation. If you have already arranged for special accommodations for your testing, and (ISC)2 and Pearson VUE have approved them, be sure to go over these with the TA. Then, the TA will escort you to a computer terminal.

Let’s Get Started!

This book is structured in a way that you will be led through foundational concepts and then through a general methodology for ethical hacking. You can feel free to select your own pathway through the book. Remember, wherever possible, get your hands dirty. Get some experience with tools, tactics, and procedures that you are less familiar with. It will help you a lot.

Take the self-assessment. It may help you get a better idea how you can make the best use of this book.

Assessment Test

Answers to Assessment Test

Chapter 1Ethical Hacking

THE FOLLOWING CEH EXAM TOPICS ARE COVERED IN THIS CHAPTER:

 Professional code of conduct

 Appropriateness of hacking

 Welcome to the exciting world of information security and, specifically, the important world of what is referred to as ethical hacking. You’re here because you want to take the exam that will get you the Certified Ethical Hacker (CEH) certification. Perhaps you have done the training from EC-Council, the organization that manages the CEH, and you want a resource with a different perspective to help you as you prepare for the exam. Or you’ve decided to go the self-study route and you have enough experience to qualify for the exam. One way or another, you’re here now, and this book will help you improve your understanding of the material to prepare for the exam.

The exam covers a wide range of topics, often at a deeply technical level, so you really need to have a solid understanding of the material. This is especially true if you choose to go on to the practical exam. This chapter, however, will be your starting point, and there is nothing technical here. In it, you’ll get a chance to understand the foundations of the entire exam. First, you’ll learn just what ethical hacking is, as well as what it isn’t. The important part of the term ethical hacking is the ethical part. When you take the exam, you will be expected to abide by a code. It’s essential to understand that code so you can live by it throughout your entire career.

Finally, you’ll learn what EC-Council is, as well as the format and other details of the exam that will be useful to you. While some of it may seem trivial, it can be helpful to get a broader context for why the exam was created and learn about the organization that runs it. Personally, I find it useful to understand what’s underneath something rather than experience it at a superficial level. As a result, you’ll get the macro explanation and you can choose to use it or not, depending on whether you find it helpful. It won’t be part of the exam, but it may help you understand what’s behind the exam so you understand the overall intentions.

Overview of Ethics

Before we start talking about ethical hacking, I will cover the most important aspect of that, which is ethics. You’ll notice it’s not referred to as “hacking ethically.” It’s ethical hacking. The important part is in the front. Ethics can be a challenging subject because you will find that it is not universal. Different people have different views of what is ethical and what is not ethical. It’s essential, though, that you understand what ethics are and what is considered ethical and unethical from the perspective of the Certified Ethical Hacker certification. This is a critical part of the exam and the certification. After all, you are being entrusted with access to sensitive information and critical systems. To keep yourself viable as a professional, you need to behave and perform your work in an ethical manner. Not only will you be expected to behave ethically, you will be expected to adhere to a code of ethics.

As part of the code of ethics, you will be sworn to keep information you obtain as part of your work private, paying particular attention to protecting the information and intellectual property of employers and clients. When you are attacking systems that belong to other people, you could be provided with internal information that is sensitive. You could also come across some critical information vital to the organization for which you are working. Failing to protect any of that data violates the code of ethics by compromising the confidentiality of that information.

You are expected to disclose information that needs to be disclosed to the people who have engaged your services. This includes any issues that you have identified. You are also expected to disclose potential conflicts of interest that you may have. It’s important to be transparent in your dealings and also do the right thing when it comes to protecting your clients, employers, and their business interests. Additionally, if you come across something that could have an impact on a large number of people across the Internet, you are expected to disclose it in a responsible manner. This doesn’t mean disclosing it in a public forum. It means working with your employer, any vendor that may be involved, and any computer emergency response team (CERT) that may have jurisdiction over your findings.

For examples of responsible disclosure, look at the work of Dan Kaminsky. He has found serious flaws in the implementations of the Domain Name System (DNS), which impacts everyone on the Internet. He worked responsibly with vendors to ensure that they had time to fix their implementations and remediate the vulnerabilities before he disclosed them. In the end, he did disclose the vulnerabilities in a very public manner, but only after vendors had time to fix the issue. This meant he wasn’t putting people in the path of compromise and potential information disclosure. Even though he was using the software in a way that it wasn’t intended to be used, he was using an ethical approach by attempting to address an issue before someone could make use of the issue in a malicious way.

As you perform work, you will be given access to resources provided by the client or company. Under the code of ethics you will need to agree to, you cannot misuse any of the equipment. You can’t damage anything you have access to as part of your employment or contract. There will be times when the testing you are performing may cause damage to a service provided by the infrastructure of the company you are working for or with. As long as this is unintentional or agreed to be acceptable by the company, this is okay. One way to alleviate this concern is to keep lines of communication open at all times. If it happens that an unexpected outage occurs, ensuring that the right people know so it can be remedied is essential.

Perhaps it goes without saying, but you are not allowed to engage in any illegal actions. Similarly, you cannot have been convicted of any felony or violate any laws. Along the same lines, though it’s not directly illegal, you can’t be involved with any group that may be considered “black hat,” meaning they are engaged in potentially illegal activities, such as attacking computer systems for malicious purposes.

Colorful Terminology

You may regularly hear the terms white hat, black hat, and gray hat