CEH v9
TM

Certified Ethical Hacker
Version 9
Study Guide



CEH v9
TM

Certified Ethical Hacker
Version 9
Study Guide

Sean-Philip Oriyano


Development Editor: Kim Wimpsett
Technical Editors: Raymond Blockmon, Jason McDowell, Tom Updegrove
Production Editor: Rebecca Anderson
Copy Editor: Linda Recktenwald
Editorial Manager: Mary Beth Wakefield
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Media Supervising Producer: Rich Graves
Book Designers: Judy Fung and Bill Gibson
Proofreader: Nancy Carrasco

Indexer: J & J Indexing
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: ©Getty Images Inc./Jeremy Woodhouse
Copyright © 2016 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-25224-5
ISBN: 978-1-119-25227-6 (ebk.)
ISBN: 978-1-119-25225-2 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 6468600. Requests to the Publisher for permission should be addressed to the Permissions Department, John
Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online
at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor the author
shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this
work as a citation and/or a potential source of further information does not mean that the author or the
publisher endorses the information the organization or Web site may provide or recommendations it may
make. Further, readers should be aware that Internet Web sites listed in this work may have changed or
disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or
fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material

included with standard print versions of this book may not be included in e-books or in print-on-demand.
If this book refers to media such as a CD or DVD that is not included in the version you purchased, you
may download this material at . For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2016934529
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without
written permission. CEH is a trademark of EC-Council. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1


I would like to dedicate this book to Medal of Honor recipient (and
personal hero) Sgt. Maj. (USA) Jon R. Cavaiani, who passed away some
time before this book was written. Thank you for giving me the honor to
shake your hand.


Acknowledgments 
Writing acknowledgements is probably the toughest part of writing a book in my opinion
as I always feel that I have forgotten someone who had to deal with my hijinks over the
past few months. Anyway, here goes.
First of all, I want to thank my Mom and Dad for all of your support over the years as
well as being your favorite son. That’s right, I said it.
I would also like to take a moment to thank all the men and women I have served with
over the years. It is an honor for this Chief Warrant Officer to serve with each of you. I
would also like to extend a special thanks to my own unit for all the work you do, you are
each a credit to the uniform. Finally, thanks to my Commander for your mentorship, support, and faith in my abilities.
To my friends I want to say thanks for tearing me away from my computer now and
then when you knew I needed to let my brain cool off a bit. Mark, Jason, Jennifer, Fred,
Misty, Arnold, Shelly, and especially Lisa, you all helped me put my focus elsewhere for a
while before I went crazy(er).

I would also like to thank Shigeru Miyamoto for bringing the Legend of Zelda into
reality.
Finally, on a more serious note, I would like to dedicate this book to Medal of Honor
recipient (and personal hero) Sgt. Maj. (USA) Jon R. Cavaiani who passed away some time
before this book was written. Thank you for giving me the honor to shake your hand.
—Sean-Philip Oriyano
Duty, Service, Honor


About the Author
Sean Oriyano   (www.oriyano.com) is a seasoned security professional and entrepreneur.
Over the past 25 years he has split his time among writing, researching, consulting, and
training various people and organizations on a wide range of topics relating to both IT and
security. As an instructor and consultant, Sean has traveled all over the world, sharing his
knowledge as well as gaining exposure to many different environments and cultures along
the way. His broad knowledge and easy-to-understand manner, along with a healthy dose
of humor, have led to Sean being a regularly requested instructor.
Outside of training and consulting, Sean is also a best-selling author with many
years of experience in both digital and print media. Sean has published books for
McGraw-Hill, Wiley, Sybex, O’Reilly Media, and Jones & Bartlett. Over the last decade
Sean has expanded his reach even further by appearing in shows on both TV and radio. To
date, Sean has appeared in over a dozen TV programs and radio shows discussing various
cybersecurity topics and technologies. When in front of the camera, Sean has been noted
for his casual demeanor and praised for his ability to explain complex topics in an easyto-understand manner.
Outside his own business activities, Sean is a member of the military as a chief ­warrant
officer specializing in infrastructure and security as well as the development of new troops.
In addition, as a CWO he is recognized as a subject matter expert in his field and is frequently
called upon to provide expertise, training, and mentoring wherever needed.
When not working, Sean is an avid obstacle course racer, having completed numerous
races, including a world championship race and a Spartan Trifecta. He also enjoys

traveling, bodybuilding, training, and developing his mixed martial arts skills plus taking
survival courses.
Sean holds many certifications and qualifications that demonstrate his knowledge and
experience in the IT field, such as the CISSP, CNDA, and Security+.



Contents at a Glance
Introduction

xxi

Assessment Test

xxxii

Chapter 1

Introduction to Ethical Hacking

Chapter 2

System Fundamentals

39

Chapter 3

Cryptography


71

Chapter 4

Footprinting  

99

Chapter 5

Scanning 

127

Chapter 6

Enumeration 

159

Chapter 7

System Hacking 

193

Chapter 8

Malware  


223

Chapter 9

Sniffers

255

Chapter 10

Social Engineering

281

Chapter 11

Denial of Service 

305

Chapter 12

Session Hijacking 

331

Chapter 13

Web Servers and Applications


359

Chapter 14

SQL Injection

389

Chapter 15

Hacking Wi‐Fi and Bluetooth

409

Chapter 16

Mobile Device Security 

439

Chapter 17

Evasion 

461

Chapter 18

Cloud Technologies and Security 


485

Chapter 19

Physical Security 

501

Appendix A

Answers to Review Questions

525

Appendix B

Penetration Testing Frameworks 

549

Appendix C

Building a Lab

565

Index

1


575



Contents
Introduction

xxi

Assessment Test
Chapter

Chapter

1

2

xxxii
Introduction to Ethical Hacking

1

Hacking: the Evolution
The Early Days of Hacking
Current Developments
Hacking: Fun or Criminal Activity?
The Evolution and Growth of Hacking
So, What Is an Ethical Hacker?
What Are Your Responsibilities?

Code of Conduct and Ethics
Ethical Hacking and Penetration Testing
Hacking Methodologies
Vulnerability Research and Tools
What Is Incident Response?
Business Continuity Plan
Ethics and the Law
Summary
Exam Essentials
Review Questions

3
3
4
5
7
9
9
11
12
17
21
21
26
33
34
35
36

System Fundamentals


39

Exploring Network Topologies
Working with the Open Systems Interconnection Model
Dissecting the TCP/IP Suite
IP Subnetting
Hexadecimal vs. Binary
Exploring TCP/IP Ports
Domain Name System
Understanding Network Devices
Routers and Switches
Working with MAC Addresses
Proxies and Firewalls
Intrusion Prevention and Intrusion Detection Systems
Network Security
Knowing Operating Systems
Microsoft Windows
Mac OS

40
44
47
49
49
50
53
53
53
55

56
57
58
60
60
61


xii 

Chapter

Chapter

Contents

3

4

Android
Linux
Backups and Archiving
Summary
Exam Essentials
Review Questions

62
62
63

64
65
66

Cryptography

71

Cryptography: Early Applications and Examples
History of Cryptography
Tracing the Evolution
Cryptography in Action
So How Does It Work?
Symmetric Cryptography
Asymmetric, or Public Key, Cryptography
Understanding Hashing
Issues with Cryptography
Applications of Cryptography
IPsec
Pretty Good Privacy
Secure Sockets Layer
Summary
Exam Essentials
Review Questions

73
73
75
76
77

77
80
86
88
89
90
92
93
94
94
95

Footprinting  

99

Understanding the Steps of Ethical Hacking
Phase 1: Footprinting
Phase 2: Scanning
Phase 3: Enumeration
Phase 4: System Hacking
What Is Footprinting?
Why Perform Footprinting?
Goals of the Footprinting Process
Terminology in Footprinting
Open Source and Passive Information Gathering
Passive Information Gathering
Pseudonymous Footprinting
Internet Footprinting
Threats Introduced by Footprinting

The Footprinting Process
Using Search Engines
Google Hacking

100
100
101
101
102
102
103
103
106
106
106
106
107
107
108
108
108


Contents 

Chapter

5

xiii


Public and Restricted Websites
Location and Geography
Social Networking and Information Gathering
Financial Services and Information Gathering
The Value of Job Sites
Working with Email
Competitive Analysis
Gaining Network Information
Social Engineering: the Art of Hacking Humans
Summary
Exam Essentials
Review Questions

111
112
113
116
116
117
118
119
120
121
121
123

Scanning 

127


What Is Scanning?
Types of Scans
Checking for Live Systems
Wardialing
Using Ping
Hping3: the Heavy Artillery
Checking the Status of Ports
The Family Tree of Scans
Full-Open Scan
Stealth or Half-Open Scan
Xmas Tree Scan
FIN Scan
NULL Scan
Idle Scanning
ACK Scanning
UDP Scanning
OS Fingerprinting
Active Fingerprinting with Nmap
Passive Fingerprinting an OS
Banner Grabbing
Countermeasures
Vulnerability Scanning
Mapping the Network
Using Proxies
Setting a Web Browser to Use a Proxy
Summary
Exam Essentials
Review Questions


128
129
130
131
133
134
135
138
138
138
139
140
141
142
143
144
145
146
147
149
151
151
152
153
154
155
155
156



xiv 

Chapter

Contents

6

Enumeration 
A Quick Review
Footprinting
Scanning
What Is Enumeration?
About Windows Enumeration
Users
Groups
Security Identifiers
Linux Basic
Users
Services and Ports of Interest
Commonly Exploited Services
NULL Sessions
SuperScan
DNS Zone Transfers
The PsTools Suite
Using finger
Enumeration with SNMP
Management Information Base
SNScan
Unix and Linux Enumeration

finger
rpcinfo
showmount
enum4linux
LDAP and Directory Service Enumeration
JXplorer
Preventing LDAP Enumeration
Enumeration Using NTP
SMTP Enumeration
Using VRFY
Using EXPN
Using RCPT TO
SMTP Relay
Summary
Exam Essentials
Review Questions

Chapter

7

System Hacking 
Up to This Point
Footprinting
Scanning
Enumeration

159
160
160

161
161
163
163
164
166
168
168
169
170
173
174
174
177
178
178
179
180
180
180
181
181
181
182
183
183
184
184
185
185

186
186
187
187
189
193
194
194
195
195


Contents 

System Hacking
Password Cracking
Authentication on Microsoft Platforms
Executing Applications
Covering Your Tracks
Summary
Exam Essentials
Review Questions
Chapter

8

Malware  
Malware
Malware and the Law
Categories of Malware

Viruses
Worms
Spyware
Adware
Scareware
Ransomware
Trojans
Overt and Covert Channels
Summary
Exam Essentials
Review Questions

Chapter

9

Sniffers
Understanding Sniffers
Using a Sniffer
Sniffing Tools
Wireshark
Tcpdump
Reading Sniffer Output
Switched Network Sniffing
MAC Flooding
ARP Poisoning
MAC Spoofing
Port Mirror or SPAN Port
On the Defensive
Mitigating MAC Flooding

Detecting Sniffing Attacks
Summary
Exam Essentials
Review Questions

xv

196
196
209
213
215
217
218
219
223
224
226
227
228
234
236
237
237
238
238
247
249
250
251

255
256
259
259
260
264
266
270
270
271
272
272
273
274
275
275
276
277


xvi 

Chapter

Chapter

Chapter

Contents


10

11

12

Social Engineering

281

What Is Social Engineering?
Why Does Social Engineering Work?
The Power of Social Engineering
Social-Engineering Phases
What Is the Impact of Social Engineering?
Common Targets of Social Engineering
Social Networking to Gather Information?
Networking
Countermeasures for Social Networking
Commonly Employed Threats
Identity Theft
Protective Measures
Know What Information Is Available
Summary
Exam Essentials
Review Questions

282
283
284

285
285
286
287
289
291
293
296
297
298
298
299
300

Denial of Service 

305

Understanding DoS
DoS Targets
Types of Attacks
Buffer Overflow
Understanding DDoS
DDoS Attacks
DoS Tools
DDoS Tools
DoS Defensive Strategies
Botnet-Specific Defenses
DoS Pen-Testing Considerations
Summary

Exam Essentials
Review Questions

306
308
308
314
317
318
319
320
323
323
324
324
324
326

Session Hijacking 

331

Understanding Session Hijacking
Spoofing vs. Hijacking
Active and Passive Attacks
Session Hijacking and Web Apps
Types of Application-Level Session Hijacking
A Few Key Concepts
Network Session Hijacking


332
334
335
336
337
341
344


Contents 

Exploring Defensive Strategies
Summary
Exam Essentials
Review Questions
Chapter

13

Web Servers and Applications
Exploring the Client‐Server Relationship
Looking Closely at Web Servers
Web Applications
The Client and the Server
A Look at the Cloud
Closer Inspection of a Web Application
Vulnerabilities of Web Servers and Applications
Common Flaws and Attack Methods
Testing Web Applications
Summary

Exam Essentials
Review Questions

Chapter

14

SQL Injection
Introducing SQL Injection
Results of SQL Injection
The Anatomy of a Web Application
Databases and Their Vulnerabilities
Anatomy of a SQL Injection Attack
Altering Data with a SQL Injection Attack
Injecting Blind
Information Gathering
Evading Detection Mechanisms
SQL Injection Countermeasures
Summary
Exam Essentials
Review Questions

Chapter

15

Hacking Wi‐Fi and Bluetooth
What Is a Wireless Network?
Wi‐Fi: an Overview
The Fine Print

Wireless Vocabulary
A Close Examination of Threats
Ways to Locate Wireless Networks
Choosing the Right Wireless Card
Hacking Bluetooth

xvii

352
353
353
355
359
360
361
363
364
365
366
369
375
383
384
384
385
389
390
392
393
394

396
399
401
402
403
404
405
405
406
409
410
410
411
414
425
429
430
431


xviii 

Contents

Summary
Exam Essentials
Review Questions
Chapter

Chapter


Chapter

16

17

18

Mobile Device Security 

433
434
435
439

Mobile OS Models and Architectures
Goals of Mobile Security
Device Security Models
Google Android OS
Apple iOS
Common Problems with Mobile Devices
Penetration Testing Mobile Devices
Penetration Testing Using Android
Countermeasures
Summary
Exam Essentials
Review Questions

440

441
442
443
446
447
449
450
454
455
456
457

Evasion 

461

Honeypots, IDSs, and Firewalls
The Role of Intrusion Detection Systems
Firewalls
What’s That Firewall Running?
Honeypots
Run Silent, Run Deep: Evasion Techniques
Evading Firewalls
Summary
Exam Essentials
Review Questions

462
462
467

470
473
475
477
480
481
482

Cloud Technologies and Security 
What Is the Cloud?
Types of Cloud Solutions
Forms of Cloud Services
Threats to Cloud Security
Cloud Computing Attacks
Controls for Cloud Security
Testing Security in the Cloud
Summary
Exam Essentials
Review Questions

485
486
487
488
489
491
494
495
496
497

498


Contents 

Chapter

19

Physical Security 
Introducing Physical Security
Simple Controls
Dealing with Mobile Device Issues
Data Storage Security
Securing the Physical Area
Entryways
Server Rooms and Networks
Other Items to Consider
Education and Awareness
Defense in Depth
Summary
Exam Essentials
Review Questions

Appendix

A

Answers to Review Questions
Chapter 1: Introduction to Ethical Hacking

Chapter 2: System Fundamentals
Chapter 3: Cryptography
Chapter 4: Footprinting
Chapter 5: Scanning
Chapter 6: Enumeration
Chapter 7: System Hacking
Chapter 8: Malware
Chapter 9: Sniffers
Chapter 10: Social Engineering
Chapter 11: Denial of Service
Chapter 12: Session Hijacking
Chapter 13: Web Servers and Applications
Chapter 14: SQL Injection
Chapter 15: Hacking Wi-Fi and Bluetooth
Chapter 16: Mobile Device Security
Chapter 17: Evasion
Chapter 18: Cloud Technologies and Security
Chapter 19: Physical Security

Appendix

B

Penetration Testing Frameworks 
Overview of Alternative Methods
Penetration Testing Execution Standard
Working with PTES
Pre-Engagement Interactions

xix


501
502
503
505
506
510
517
518
519
519
519
520
521
522
525
526
527
528
529
530
532
532
533
534
536
537
539
540
541

542
544
544
546
547
549
550
552
553
553


xx 

Contents

Contents of a Contract
Gaining Permission
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post-Exploitation
Reporting
Mopping Up
Summary
Appendix

C


Building a Lab
Why Build a Lab?
The Build Process
What You Will Need
Creating a Test Setup
Virtualization Software Options
The Installation Process
Installing a Virtualized Operating System
Installing Tools
Summary

Index

555
556
557
558
559
560
560
562
563
563
565
566
566
567
568
569
569

570
570
574
575


Introduction
If you’re preparing to take the CEH exam, you’ll undoubtedly want to fi nd as much
information as you can about computers, networks, applications, and physical security.
The more information you have at your disposal and the more hands-on experience you
gain, the better off you’ll be when taking the exam. This study guide was written with
that goal in mind—to provide enough information to prepare you for the test, but not so
much that you’ll be overloaded with information that is too far outside the scope of the
exam. To make the information more understandable, I’ve included practical examples and
experience that supplement the theory.
This book presents the material at an advanced technical level. An understanding of
network concepts and issues, computer hardware and operating systems, and applications
will come in handy when you read this book. While every attempt has been made to
present the concepts and exercises in an easy-to-understand format, you will need to have
experience with IT and networking technology to get the best results.
I’ve included review questions at the end of each chapter to give you a taste of what
it’s like to take the exam. If you’re already working in the security field, check out these
questions fi rst to gauge your level of expertise. You can then use the book to fi ll in the gaps
in your current knowledge. This study guide will help you round out your knowledge base
before tackling the exam itself.
If you can answer 85 percent to 90 percent or more of the review questions correctly for
a given chapter, you can feel safe moving on to the next chapter. If you’re unable to answer
that many questions correctly, reread the chapter and try the questions again. Your score
should improve.
Don’t just study the questions and answers! The questions on the actual

exam will be different from the practice questions included in this book.
The exam is designed to test your knowledge of a concept or objective, so
use this book to learn the objectives behind the questions.

Before You Begin Studying
Before you begin preparing for the exam, it’s imperative that you understand a few things
about the CEH certification. CEH is a certification from the International Council of
Electronic Commerce Consultants (EC-Council) granted to those who obtain a passing
score on a single exam (number 312-50). The exam is predominantly multiple choice, with
some questions including diagrams and sketches that you must analyze to arrive at an
answer. This exam requires intermediate- to advanced-level experience; you’re expected to
know a great deal about security from an implementation and theory perspective as well as
a practical perspective.


xxii 

Introduction

In many books, the glossary is filler added to the back of the text; this book’s glossary
(included as part of the online test bank at sybextestbanks.wiley.com) should be
considered necessary reading. You’re likely to see a question on the exam about what a
black- or white-box test is—not how to specifically implement it in a working environment.
Spend your study time learning the various security solutions and identifying potential
security vulnerabilities and where they are applicable. Also spend time thinking outside the
box about how things work—the exam is also known to alter phrases and terminology—
but keep the underlying concept as a way to test your thought process.
The EC-Council is known for presenting concepts in unexpected ways on their exam.
The exam tests whether you can apply your knowledge rather than just commit information to memory and repeat it back. Use your analytical skills to visualize the situation and
then determine how it works. The questions throughout this book make every attempt to

re-create the structure and appearance of the CEH exam questions.

Why Become CEH Certified?
There are a number of reasons for obtaining the CEH certification. These include the
following:
Provides Proof of Professional Achievement    Specialized certifications are the best way
to stand out from the crowd. In this age of technology certifications, you’ll find hundreds
of thousands of administrators who have successfully completed the Microsoft and Cisco
certification tracks. To set yourself apart from the crowd, you need a bit more. The CEH
exam is part of the EC-Council certification track, which includes other security-centric
certifications if you wish to attempt those.
Increases Your Marketability    The CEH for several years has provided a valuable
benchmark of the skills of a pentester to potential employers or clients. Once you hold
the CEH certification, you’ll have the credentials to prove your competency. Moreover,
certifications can’t be taken from you when you change jobs—you can take that
certification with you to any position you accept.
Provides Opportunity for Advancement    Individuals who prove themselves to be
competent and dedicated are the ones who will most likely be promoted. Becoming certified
is a great way to prove your skill level and show your employer that you’re committed to
improving your skill set. Look around you at those who are certified: They are probably the
people who receive good pay raises and promotions.
Fulfills Training Requirements    Many companies have set training requirements for their
staff so that they stay up to date on the latest technologies. Having a certification program
in security provides administrators with another certification path to follow when they
have exhausted some of the other industry-standard certifications.
Raises Customer Confidence    Many companies, small businesses, and the governments of
various countries have long discovered the advantages of being a CEH. Many organizations
require that employees and contractors hold the credential in order to engage in certain
work activities.



Introduction

xxiii

How to Become a CEH-Certified Professional
The fi rst place to start on your way to certification is to register for the exam at any
Pearson VUE testing center. Exam pricing might vary by country or by EC-Council
membership. You can contact Pearson VUE by going to their website (www.vue.com) or in
the United States and Canada by calling toll-free (877)-551-7587.
When you schedule the exam, you’ll receive instructions about appointment and
cancellation procedures, ID requirements, and information about the testing center location.
In addition, you will be required to provide a special EC-Council–furnished code in order to
complete the registration process. Finally, you will also be required to fill out a form describing
your professional experience and background before a code will be issued for you to register.
Exam prices and codes may vary based on the country in which the exam
is administered. For detailed pricing and exam registration procedures,
refer to EC-Council’s website at www.eccouncil.org/certification.

After you’ve successfully passed your CEH exam, the EC-Council will award you with
certification. Within four to six weeks of passing the exam, you’ll receive your official
EC-Council CEH certificate.

Who Should Read This Book?
If you want to acquire solid information in hacking and pen-testing techniques and your goal
is to prepare for the exam by learning how to develop and improve security, this book is for
you. You’ll find clear explanations of the concepts you need to grasp and plenty of help to
achieve the high level of professional competency you need to succeed in your chosen field.
If you want to become certified, this book is defi nitely what you need. However, if you
just want to attempt to pass the exam without really understanding security, this study

guide isn’t for you. You must be committed to learning the theory and concepts in this
book to be successful.
In addition to reading this book, consider downloading and reading the
white papers on security that are scattered throughout the Internet.

What Does This Book Cover?
This book covers everything you need to know to pass the CEH exam. Here’s a breakdown
chapter by chapter:
Chapter 1: Introduction to Ethical Hacking This chapter covers the purpose of ethical
hacking, defi nes the ethical hacker, and describes how to get started performing security
audits.