ffirs.indd 2

22-07-2014 17:23:44


CEHv8

Certified Ethical
Hacker Version 8
Study Guide

ffirs.indd 1

22-07-2014 17:23:44


ffirs.indd 2

22-07-2014 17:23:44


CEHv8

Certified Ethical
Hacker Version 8
Study Guide

Sean-Philip Oriyano

ffirs.indd 3

22-07-2014 17:23:44


Senior Acquisitions Editor: Jeff Kellum
Development Editor: Richard Mateosian
Technical Editors: Albert Whale and Robert Burke
Production Editor: Dassi Zeidel
Copy Editors: Liz Welch and Tiffany Taylor
Editorial Manager: Pete Gaughan
Vice President and Executive Group Publisher: Richard Swadley
Associate Publisher: Chris Webb
Media Project Manager I: Laura Moss-Hollister
Media Associate Producer: Marilyn Hummel
Media Quality Assurance: Doug Kuhn
Book Designer: Judy Fung
Proofreader: Sarah Kaikini, Word One New York
Indexer: Ted Laux
Project Coordinator, Cover: Patrick Redmond
Cover Designer: Wiley
Cover Image: ©Getty Images Inc./Jeremy Woodhouse
Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-64767-7
ISBN: 978-1-118-76332-2 (ebk.)
ISBN: 978-1-118-98928-9 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood

Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201)
748-6011, fax (201) 748-6008, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties
with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or
extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for
every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal,
accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of
further information does not mean that the author or the publisher endorses the information the organization or
Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites
listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax
(317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with
standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to
media such as a CD or DVD that is not included in the version you purchased, you may download this material at
. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2014931949.
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without
written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is
not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1

ffirs.indd 4

22-07-2014 17:23:44


Dear Reader,

Thank you for choosing CEHv8: Certified Ethical Hacker Version 8 Study Guide. This
book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.
Sybex was founded in 1976. More than 30 years later, we’re still committed to producing
consistently exceptional books. With each of our titles, we’re working hard to set a new
standard for the industry. From the paper we print on, to the authors we work with, our
goal is to bring you the best books available.
I hope you see all that reflected in these pages. I’d be very interested to hear your
comments and get your feedback on how we’re doing. Feel free to let me know what you
think about this or any other Sybex book by sending me an e-mail at contactus@sybex
.com. If you think you’ve found a technical error in this book, please visit http:sybex
.custhelp.com. Customer feedback is critical to our efforts at Sybex.


Best regards,






ffirs.indd 5

Chris Webb
Associate Publisher
Sybex, an Imprint of Wiley

22-07-2014 17:23:44


ffirs.indd 6


22-07-2014 17:23:44


Acknowledgments
First, I would like to send a big thanks out to my mom for all her support over the years as
without her I would not be where I am today. Thank you, Mom, and I love you.
Second, thanks to my support network back in Alpha Company and my classmates. All of
you will eternally be my brothers and sisters, and it’s this man’s honor to serve with you.
Next, thanks to my friend Jason McDowell. Your advice and input on some of the delicate
topics of this book was a big help.
Thanks to the copy editors, Liz Welch and Tiffany Taylor, and to the proofreader Sarah
Kaikini at Word One, for all their hard work.
Finally, thanks to Jeff Kellum for your support and assistance in the making of this book.
UMAXISHQMWRVPGBENBZZROIOCMIORMBNYCOOGMZOAAVSLPZOCTQDOZHZROQOHWZKNPRLIDFLZARDOLRTD.
Duty, Service, Honor

ffirs.indd 7

22-07-2014 17:23:44


About the Author
Sean-Philip Oriyano   is the owner of oriyano.com and a veteran of the IT field who has
experience in the aerospace, defense, and cybersecurity industries. During his time in the
industry, he has consulted and instructed on topics across the IT and cybersecurity fields
for small clients up to the enterprise level. Over the course of his career, he has worked with
the U.S. military and Canadian armed forces and has taught at locations such as the U.S.
Air Force Academy and the U.S. Naval War College.
In addition to his civilian career, Sean is a member of the California State Military Reserve,

where he serves as a warrant officer specializing in networking and security. In this role, he
works to support the U.S. Army and National Guard on technology issues and training.
When not working, he enjoys flying, traveling, skydiving, competing in obstacle races, and
cosplaying.

ffirs.indd 8

22-07-2014 17:23:44


Contents at a Glance
Introductionxxi
Assessment Test

xxx

Chapter 1

Getting Started with Ethical Hacking

Chapter 2

System Fundamentals

Chapter 3Cryptography

1
25
55


Chapter 4

Footprinting and Reconnaissance

Chapter 5

Scanning Networks

103

Chapter 6

Enumeration of Services

127

Chapter 7

Gaining Access to a System

151

Chapter 8

Trojans, Viruses, Worms, and Covert Channels

179

Chapter 9Sniffers


81

209

Chapter 10

Social Engineering

235

Chapter 11

Denial of Service

259

Chapter 12

Session Hijacking

283

Chapter 13

Web Servers and Web Applications

309

Chapter 14


SQL Injection

329

Chapter 15

Wireless Networking

349

Chapter 16

Evading IDSs, Firewalls, and Honeypots

373

Chapter 17

Physical Security

393

Appendix A

Answers to Review Questions

415

Appendix B


About the Additional Study Tools

437

Index441

ffirs.indd 9

22-07-2014 17:23:44


ffirs.indd 10

22-07-2014 17:23:44


Contents
Introductionxxi
Assessment Test
Chapter

1

xxx
Getting Started with Ethical Hacking

1

Hacking: A Short History
2

The Early Days of Hacking
2
Current Developments
3
Hacking: Fun or Criminal Activity?
4
The Evolution and Growth of Hacking
6
What Is an Ethical Hacker?
7
Ethical Hacking and Penetration Testing
10
Hacking Methodologies
15
Vulnerability Research and Tools
18
Ethics and the Law
18
Summary20
Exam Essentials
20
Review Questions
21
Chapter

2

System Fundamentals

25


Exploring Network Topologies
26
Working with the Open Systems Interconnection Model
30
Dissecting the TCP/IP Suite
33
IP Subnetting
35
Hexadecimal vs. Binary
35
Exploring TCP/IP Ports
37
Domain Name System
39
Understanding Network Devices
39
Routers and Switches
39
Working with MAC Addresses
41
Proxies and Firewalls
42
Intrusion Prevention and Intrusion Detection Systems
43
Network Security
44
Knowing Operating Systems
46
Windows46

Mac OS
47
Linux48
Backups and Archiving
49
Summary49
Exam Essentials
50
Review Questions
51

ftoc.indd 11

22-07-2014 16:58:40


xii 

Chapter

Contents

3Cryptography

55

Cryptography: Early Applications and Examples
56
History of Cryptography
57

Tracing the Evolution
58
Cryptography in Action
59
So How Does It Work?
60
Symmetric Cryptography
61
Asymmetric, or Public Key, Cryptography
62
Understanding Hashing
68
Issues with Cryptography
69
Applications of Cryptography
71
IPSec71
Pretty Good Privacy
73
Secure Sockets Layer (SSL)
74
Summary75
Exam Essentials
75
Review Questions
76
Chapter

ftoc.indd 12


4

Footprinting and Reconnaissance

81

Understanding the Steps of
Ethical Hacking
Phase 1: Footprinting
Phase 2: Scanning
Phase 3: Enumeration
Phase 4: System Hacking
What Is Footprinting?
Why Perform Footprinting?
Goals of the Footprinting Process
Terminology in Footprinting
Open Source and Passive Information Gathering
Active Information Gathering
Pseudonymous Footprinting
Internet Footprinting
Threats Introduced by Footprinting
The Footprinting Process
Using Search Engines
Location and Geography
Social Networking and Information Gathering
Financial Services and Information Gathering
The Value of Job Sites
Working with E-mail
Competitive Analysis
Google Hacking


82
82
83
83
83
84
84
85
87
87
87
88
88
88
88
89
91
91
92
92
93
94
95

22-07-2014 16:58:40


Contents 


xiii

Gaining Network Information
96
Social Engineering: The Art of Hacking Humans
96
Summary97
Exam Essentials
97
Review Questions
98
Chapter

5

Scanning Networks

103

What Is Network Scanning?
104
Checking for Live Systems
106
Wardialing106
Wardriving108
Pinging108
Port Scanning
110
Checking for Open Ports
110

Types of Scans
112
Full Open Scan
112
Stealth Scan, or Half-open Scan
112
Xmas Tree Scan
113
FIN Scan
114
NULL Scan
114
ACK Scanning
115
UDP Scanning
115
OS Fingerprinting
116
Banner Grabbing
117
Countermeasures118
Vulnerability Scanning
119
Drawing Network Diagrams
119
Using Proxies
120
Setting a Web Browser to Use a Proxy
121
Summary122

Exam Essentials
122
Review Questions
123
Chapter

6

Enumeration of Services

127

A Quick Review
128
Footprinting128
Scanning128
What Is Enumeration?
129
Windows Basics
130
Users130
Groups131
Security Identifiers
132
Services and Ports of Interest
132

ftoc.indd 13

22-07-2014 16:58:40



xiv 

Contents

Commonly Exploited Services
133
NULL Sessions
135
SuperScan136
The PsTools Suite
137
Enumeration with SNMP
137
Management Information Base
138
SNScan139
Unix and Linux Enumeration
139
finger140
rpcinfo140
showmount140
Enum4linux141
LDAP and Directory Service Enumeration
141
Enumeration Using NTP
142
SMTP Enumeration
143

Using VRFY
143
Using EXPN
144
Using RCPT TO
144
SMTP Relay
145
Summary145
Exam Essentials
146
Review Questions
147
Chapter

7

Gaining Access to a System

151

Up to This Point
152
System Hacking
154
Authentication on Microsoft Platforms
165
Executing Applications
169
Covering Your Tracks

170
Summary172
Exam Essentials
173
Review Questions
174
Chapter

8

Trojans, Viruses, Worms, and Covert Channels

179

Malware180
Malware and the Law
182
Categories of Malware
183
Viruses184
Worms190
Spyware192
Adware193
Scareware193
Trojans194

ftoc.indd 14

22-07-2014 16:58:40



Contents 

xv

Overt and Covert Channels
203
Summary205
Exam Essentials
205
Review Questions
206
Chapter

9Sniffers

209

Understanding Sniffers
210
Using a Sniffer
212
Sniffing Tools
213
Wireshark214
TCPdump218
Reading Sniffer Output
221
Switched Network Sniffing
224

MAC Flooding
224
ARP Poisoning
225
MAC Spoofing
226
Port Mirror or SPAN Port
227
On the Defensive
227
Mitigating MAC Flooding
228
Detecting Sniffing Attacks
230
Exam Essentials
230
Summary230
Review Questions
231
Chapter

10

Social Engineering

235

What Is Social Engineering?
236
Why Does Social Engineering Work?

237
Why is Social Engineering Successful?
238
Social-Engineering Phases
239
What Is the Impact of Social Engineering?
239
Common Targets of Social Engineering
240
What Is Social Networking?
241
Mistakes in Social Media and Social Networking
243
Countermeasures for Social Networking
245
Commonly Employed Threats
246
Identity Theft
250
Protective Measures
250
Know What Information Is Available
251
Summary252
Exam Essentials
252
Review Questions
254

ftoc.indd 15


22-07-2014 16:58:40


xvi 

Chapter

Contents

11

Denial of Service

259

Understanding DoS
260
DoS Targets
262
Types of Attacks
262
Buffer Overflow
267
Understanding DDoS
271
DDoS Attacks
271
DoS Tools
273

DDoS Tools
273
DoS Defensive Strategies
276
Botnet-Specific Defenses
277
DoS Pen Testing Considerations
277
Summary277
Exam Essentials
278
Review Questions
279
Chapter

12

Session Hijacking

283

Understanding Session Hijacking
284
Spoofing vs. Hijacking
286
Active and Passive Attacks
287
Session Hijacking and Web Apps
288
Types of Application-Level Session Hijacking

289
A Few Key Concepts
292
Network Session Hijacking
294
Exploring Defensive Strategies
302
Summary302
Exam Essentials
303
Review Questions
304
Chapter

13

Web Servers and Web Applications

309

Exploring the Client-Server Relationship
310
The Client and the Server
311
Closer Inspection of a Web Application
311
Vulnerabilities of Web Servers and
Applications313
Common Flaws and Attack Methods
316

Summary323
Exam Essentials
323
Review Questions
324
Chapter

14

SQL Injection
Introducing SQL Injection
Results of SQL Injection
The Anatomy of a Web Application

ftoc.indd 16

329
330
332
333

22-07-2014 16:58:40


Contents 

xvii

Databases and Their Vulnerabilities
334

Anatomy of a SQL Injection Attack
336
Altering Data with a SQL
Injection Attack
339
Injecting Blind
341
Information Gathering
342
Evading Detection Mechanisms
342
SQL Injection Countermeasures
343
Summary344
Exam Essentials
344
Review Questions
345
Chapter

15

Wireless Networking

349

What Is a Wireless Network?
350
Wi-Fi: An Overview
350

The Fine Print
351
Wireless Vocabulary
353
A Close Examination of Threats
360
Ways to Locate Wireless Networks
364
Choosing the Right Wireless Card
365
Hacking Bluetooth
365
Summary367
Exam Essentials
368
Review Questions
369
Chapter

16

Evading IDSs, Firewalls, and
Honeypots373
Honeypots, IDSs, and Firewalls
374
The Role of Intrusion Detection Systems
374
Firewalls379
What’s That Firewall Running?
382

Honeypots383
Run Silent, Run Deep: Evasion
Techniques383
Evading Firewalls
385
Summary388
Exam Essentials
388
Review Questions
389

Chapter

17

Physical Security
Introducing Physical Security
Simple Controls
Dealing with Mobile Device Issues

ftoc.indd 17

393
394
394
397

22-07-2014 16:58:41



xviii 

Contents

Securing the Physical Area
401
Defense in Depth
408
Summary409
Exam Essentials
409
Review Questions
410
Appendix

A

Answers to Review Questions

415

Appendix

B

About the Additional Study Tools

437

Index441


ftoc.indd 18

22-07-2014 16:58:41


Table of Exercises

ftoc.indd 19

Exercise

2.1

Finding the maC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Exercise

4.1

Finding the IP Address of a Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Exercise

4.2

Examining a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Exercise


7.1

Extracting Hashes from a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Exercise

7.2

Creating Rainbow Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Exercise

7.3

Working with Rainbow Crack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Exercise

7.4PSPV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Exercise

8.1

Creating a Simple Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Exercise

8.2


Using Netstat to Detect Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Exercise

8.3

Using TCPView to Track Port Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Exercise

9.1

Sniffing with Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Exercise

9.2

Sniffing with TCPdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Exercise

9.3

Understanding Packet Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Exercise

11.1 Performing a SYN Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264


Exercise

11.2 Seeing LOIC in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Exercise

12.1 Performing an mitm attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Exercise

13.1 Performing a Password Crack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

22-07-2014 16:58:41


flast.indd 20

22-07-2014 11:36:25


Introduction
If you’re preparing to take the CEH exam, you’ll undoubtedly want to find as much information as you can about computers, networks, applications, and physical security. The
more information you have at your disposal and the more hands-on experience you gain,
the better off you’ll be when taking the exam. This study guide was written with that goal
in mind—to provide enough information to prepare you for the test, but not so much that
you’ll be overloaded with information that is too far outside the scope of the exam. To
make the information more understandable, I’ve included practical examples and experience that supplements the theory.
This book presents the material at an advanced technical level. An understanding of network concepts and issues, computer hardware and operating systems, and applications will
come in handy when you read this book. While every attempt has been made to present the
concepts and exercises in an easy-to-understand format, you will need to have experience

with IT and networking technology to get the best results.
I’ve included review questions at the end of each chapter to give you a taste of what it’s
like to take the exam. If you’re already working in the security field, check out these questions first to gauge your level of expertise. You can then use the book to fill in the gaps in
your current knowledge. This study guide will help you round out your knowledge base
before tackling the exam itself.
If you can answer 85 percent to 90 percent or more of the review questions correctly for
a given chapter, you can feel safe moving on to the next chapter. If you’re unable to answer
that many questions correctly, reread the chapter and try the questions again. Your score
should improve.
Don’t just study the questions and answers! The questions on the actual
exam will be different from the practice questions included in this book.
The exam is designed to test your knowledge of a concept or objective, so
use this book to learn the objectives behind the questions.

Before You Begin Studying
Before you begin preparing for the exam, it’s imperative that you understand a few things
about the CEH certification. CEH is a certification from the International Council of Electronic Commerce Consultants (EC-Council) granted to those who obtain a passing score
on a single exam (number 312-50). The exam is predominantly multiple choice, with some
questions including diagrams and sketches that you must analyze to arrive at an answer.
This exam requires intermediate to advanced-level experience; you’re expected to know a
great deal about security from an implementation and theory perspective as well as a practical perspective.

flast.indd 21

22-07-2014 11:36:25


xxii 

Introduction


In many books, the glossary is filler added to the back of the text; this book’s glossary
(located on the companion website at www.sybex.com/go/cehv8) should be considered necessary reading. You’re likely to see a question on the exam about what a black or white box
test is—not how to specifically implement it in a working environment. Spend your study
time learning the various security solutions and identifying potential security vulnerabilities
and where they are applicable. Also spend time thinking outside the box about how things
work—the exam is also known to alter phrases and terminology—but keep the underlying
concept as a way to test your thought process.
The EC-Council is known for presenting concepts in unexpected ways on their exam.
The exam tests whether you can apply your knowledge rather than just commit information to memory and repeat it back. Use your analytical skills to visualize the situation and
then determine how it works. The questions throughout this book make every attempt to
re-create the structure and appearance of the CEH exam questions.

Why Become CEH Certified?
There are a number of reasons for obtaining the CEH certification. These include the
following:
Provides Proof of Professional Achievement  Specialized certifications are the best way to
stand out from the crowd. In this age of technology certifications, you’ll find hundreds of
thousands of administrators who have successfully completed the Microsoft and Cisco certification tracks. To set yourself apart from the crowd, you need a little bit more. The CEH
exam is part of the EC-Council certification track, which includes the other security-centric
certifications if you wish to attempt those.
Increases Your Marketability  The CEH for several years has provided a valuable benchmark of the skills of a pen tester to potential employers or clients. Once you hold the CEH
certification, you’ll have the credentials to prove your competency. Moreover, certifications
can’t be taken from you when you change jobs—you can take that certification with you to
any position you accept.
Provides Opportunity for Advancement  Individuals who prove themselves to be competent and dedicated are the ones who will most likely be promoted. Becoming certified
is a great way to prove your skill level and show your employer that you’re committed to
improving your skill set. Look around you at those who are certified: They are probably the
people who receive good pay raises and promotions.
Fulfills Training Requirements  Many companies have set training requirements for their

staff so that they stay up to date on the latest technologies. Having a certification program
in security provides administrators with another certification path to follow when they
have exhausted some of the other industry-standard certifications.
Raises Customer Confidence  Many companies, small businesses, and the governments of
various countries have long discovered the advantages of being a CEH. Many organizations
require that employees and contractors hold the credential in order to engage in certain
work activities.

flast.indd 22

22-07-2014 11:36:26


Introduction 

xxiii

How to Become a CEH Certified Professional
The first place to start on your way to certification is to register for the exam at any Pearson VUE testing center. Exam pricing might vary by country or by EC-Council membership. You can contact Pearson VUE by going to their website (www.vue.com), or in the
United States and Canada by calling toll-free 877-551-7587.
When you schedule the exam, you’ll receive instructions about appointment and cancellation procedures, ID requirements, and information about the testing center location. In
addition, you will be required to provide a special EC-Council–furnished code in order
to complete the registration process. Finally, you will also be required to fill out a form
describing professional experience and background before a code will be issued for you to
register.
Exam prices and codes may vary based on the country in which the exam
is administered. For detailed pricing and exam registration procedures,
refer to EC-Council’s website at www.eccouncil.org/certification.

After you’ve successfully passed your CEH exam, the EC-Council will award you with

certification. Within four to six weeks of passing the exam, you’ll receive your official ECCouncil CEH certificate.

Who Should Read This Book?
If you want to acquire a solid amount of information in hacking and pen-testing techniques
and your goal is to prepare for the exam by learning how to develop and improve security,
this book is for you. You’ll find clear explanations of the concepts you need to grasp and
plenty of help to achieve the high level of professional competency you need in order to succeed in your chosen field.
If you want to become certified, this book is definitely what you need. However, if you
just want to attempt to pass the exam without really understanding security, this study
guide isn’t for you. You must be committed to learning the theory and concepts in this
book to be successful.
In addition to reading this book, consider downloading and reading the
white papers on security that are scattered throughout the Internet.

What Does This Book Cover?
This book covers everything you need to know to pass the CEH exam. Here’s a breakdown
chapter by chapter:

flast.indd 23

22-07-2014 11:36:26