CEH™ Certified Ethical Hacker


Study Guide

Version 9

Sean-Philip Oriyano


Development Editor: Kim Wimpsett
Technical Editors: Raymond Blockmon, Jason McDowell, Tom Updegrove
Production Editor: Rebecca Anderson
Copy Editor: Linda Recktenwald
Editorial Manager: Mary Beth Wakefield
Production Manager: Kathleen Wisor
Executive Editor: Jim Minatel
Media Supervising Producer: Rich Graves
Book Designers: Judy Fung and Bill Gibson
Proofreader: Nancy Carrasco
Indexer: J & J Indexing
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: ©Getty Images Inc./Jeremy Woodhouse
Copyright © 2016 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-25224-5
ISBN: 978-1-119-25227-6 (ebk.)
ISBN: 978-1-119-25225-2 (ebk.)

Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of
the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization
through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 7486008, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with
respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including
without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is
sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional
services. If professional assistance is required, the services of a competent professional person should be sought. Neither
the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is
referred to in this work as a citation and/or a potential source of further information does not mean that the author or
the publisher endorses the information the organization or Web site may provide or recommendations it may make.
Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between
when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer
Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with
standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media
such as a CD or DVD that is not included in the version you purchased, you may download this material at
. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2016934529
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission.
CEH is a trademark of EC-Council. All other trademarks are the property of their respective owners. John Wiley & Sons,
Inc. is not associated with any product or vendor mentioned in this book.




I would like to dedicate this book to Medal of Honor recipient (and personal hero) Sgt.
Maj. (USA) Jon R. Cavaiani, who passed away some time before this book was written.
Thank you for giving me the honor to shake your hand.



Acknowledgments
Writing acknowledgements is probably the toughest part of writing a book in my opinion
as I always feel that I have forgotten someone who had to deal with my hijinks over the
past few months. Anyway, here goes.
First of all, I want to thank my Mom and Dad for all of your support over the years as well
as being your favorite son. That’s right, I said it.
I would also like to take a moment to thank all the men and women I have served with
over the years. It is an honor for this Chief Warrant Officer to serve with each of you. I
would also like to extend a special thanks to my own unit for all the work you do, you are
each a credit to the uniform. Finally, thanks to my Commander for your mentorship,
support, and faith in my abilities.
To my friends I want to say thanks for tearing me away from my computer now and then
when you knew I needed to let my brain cool off a bit. Mark, Jason, Jennifer, Fred, Misty,
Arnold, Shelly, and especially Lisa, you all helped me put my focus elsewhere for a while
before I went crazy(er).
I would also like to thank Shigeru Miyamoto for bringing the Legend of Zelda into reality.
Finally, on a more serious note, I would like to dedicate this book to Medal of Honor
recipient (and personal hero) Sgt. Maj. (USA) Jon R. Cavaiani who passed away some
time before this book was written. Thank you for giving me the honor to shake your hand.
—Sean-Philip Oriyano
Duty, Service, Honor




About the Author
Sean Oriyano (www.oriyano.com) is a seasoned security professional and entrepreneur.
Over the past 25 years he has split his time among writing, researching, consulting, and
training various people and organizations on a wide range of topics relating to both IT and
security. As an instructor and consultant, Sean has traveled all over the world, sharing his
knowledge as well as gaining exposure to many different environments and cultures
along the way. His broad knowledge and easy-to-understand manner, along with a healthy
dose of humor, have led to Sean being a regularly requested instructor.
Outside of training and consulting, Sean is also a best-selling author with many years of
experience in both digital and print media. Sean has published books for McGraw-Hill,
Wiley, Sybex, O’Reilly Media, and Jones & Bartlett. Over the last decade Sean has
expanded his reach even further by appearing in shows on both TV and radio. To date,
Sean has appeared in over a dozen TV programs and radio shows discussing various
cybersecurity topics and technologies. When in front of the camera, Sean has been noted
for his casual demeanor and praised for his ability to explain complex topics in an easy-tounderstand manner.
Outside his own business activities, Sean is a member of the military as a chief warrant
officer specializing in infrastructure and security as well as the development of
new troops. In addition, as a CWO he is recognized as a subject matter expert in his field
and is frequently called upon to provide expertise, training, and mentoring wherever
needed.
When not working, Sean is an avid obstacle course racer, having completed numerous
races, including a world championship race and a Spartan Trifecta. He also enjoys
traveling, bodybuilding, training, and developing his mixed martial arts skills plus taking
survival courses.
Sean holds many certifications and qualifications that demonstrate his knowledge and
experience in the IT field, such as the CISSP, CNDA, and Security+.




CONTENTS
Introduction
Exam 312-50 Exam Objectives
Assessment Test
Answers to Assessment Test
Chapter 1: Introduction to Ethical Hacking
Hacking: the Evolution
So, What Is an Ethical Hacker?
Summary
Exam Essentials
Review Questions
Chapter 2: System Fundamentals
Exploring Network Topologies
Working with the Open Systems Interconnection Model
Dissecting the TCP/IP Suite
IP Subnetting
Hexadecimal vs. Binary
Exploring TCP/IP Ports
Understanding Network Devices
Working with MAC Addresses
Intrusion Prevention and Intrusion Detection Systems
Network Security
Knowing Operating Systems
Backups and Archiving
Summary
Exam Essentials
Review Questions
Chapter 3: Cryptography
Cryptography: Early Applications and Examples
Cryptography in Action

Understanding Hashing
Issues with Cryptography
Applications of Cryptography
Summary


Exam Essentials
Review Questions
Chapter 4: Footprinting
Understanding the Steps of Ethical Hacking
What Is Footprinting?
Terminology in Footprinting
Threats Introduced by Footprinting
The Footprinting Process
Summary
Exam Essentials
Review Questions
Chapter 5: Scanning
What Is Scanning?
Checking for Live Systems
Checking the Status of Ports
The Family Tree of Scans
OS Fingerprinting
Countermeasures
Vulnerability Scanning
Mapping the Network
Using Proxies
Summary
Exam Essentials
Review Questions

Chapter 6: Enumeration
A Quick Review
What Is Enumeration?
About Windows Enumeration
Linux Basic
Enumeration with SNMP
Unix and Linux Enumeration
LDAP and Directory Service Enumeration
Enumeration Using NTP
SMTP Enumeration


Summary
Exam Essentials
Review Questions
Chapter 7: System Hacking
Up to This Point
System Hacking
Summary
Exam Essentials
Review Questions
Chapter 8: Malware
Malware
Overt and Covert Channels
Summary
Exam Essentials
Review Questions
Chapter 9: Sniffers
Understanding Sniffers
Using a Sniffer

Switched Network Sniffing
Summary
Exam Essentials
Review Questions
Chapter 10: Social Engineering
What Is Social Engineering?
Social Networking to Gather Information?
Commonly Employed Threats
Identity Theft
Summary
Exam Essentials
Review Questions
Chapter 11: Denial of Service
Understanding DoS
Understanding DDoS
DoS Tools


DDoS Tools
DoS Defensive Strategies
DoS Pen-Testing Considerations
Summary
Exam Essentials
Review Questions
Chapter 12: Session Hijacking
Understanding Session Hijacking
Exploring Defensive Strategies
Summary
Exam Essentials
Review Questions

Chapter 13: Web Servers and Applications
Exploring the Client-Server Relationship
Summary
Exam Essentials
Review Questions
Chapter 14: SQL Injection
Introducing SQL Injection
Summary
Exam Essentials
Review Questions
Chapter 15: Hacking Wi-Fi and Bluetooth
What Is a Wireless Network?
Summary
Exam Essentials
Review Questions
Chapter 16: Mobile Device Security
Mobile OS Models and Architectures
Goals of Mobile Security
Device Security Models
Countermeasures
Summary
Exam Essentials


Review Questions
Chapter 17: Evasion
Honeypots, IDSs, and Firewalls
Summary
Exam Essentials
Review Questions

Chapter 18: Cloud Technologies and Security
What Is the Cloud?
Summary
Exam Essentials
Review Questions
Chapter 19: Physical Security
Introducing Physical Security
Summary
Exam Essentials
Review Questions
Appendix A: Answers to Review Questions
Chapter 1: Introduction to Ethical Hacking
Chapter 2: System Fundamentals
Chapter 3: Cryptography
Chapter 4: Footprinting
Chapter 5: Scanning
Chapter 6: Enumeration
Chapter 7: System Hacking
Chapter 8: Malware
Chapter 9: Sniffers
Chapter 10: Social Engineering
Chapter 11: Denial of Service
Chapter 12: Session Hijacking
Chapter 13: Web Servers and Applications
Chapter 14: SQL Injection
Chapter 15: Hacking Wi-Fi and Bluetooth
Chapter 16: Mobile Device Security
Chapter 17: Evasion



Chapter 18: Cloud Technologies and Security
Chapter 19: Physical Security
Appendix B: Penetration Testing Frameworks
Overview of Alternative Methods
Penetration Testing Execution Standard
Summary
Appendix C: Building a Lab
Why Build a Lab?
Creating a Test Setup
The Installation Process
Summary
Advert
EULA


List of Tables
Chapter 1
Table 1.1
Table 1.2
Table 1.3
Chapter 2
Table 2.1
Table 2.2
Table 2.3
Chapter 3
Table 3.1
Chapter 5
Table 5.1
Table 5.2
Table 5.3

Table 5.4
Chapter 9
Table 9.1
Table 9.2
Table 9.3
Chapter 12
Table 12.1
Chapter 15
Table 15.1
Table 15.2


List of Illustrations
Chapter 1
Figure 1.1 Security versus convenience analysis
Figure 1.2 The hacking process
Chapter 2
Figure 2.1 Bus topology
Figure 2.2 Ring topology
Figure 2.3 Star topology
Figure 2.4 Mesh topology
Figure 2.5 Hybrid topology
Figure 2.6 OSI TCP/IP comparative model
Figure 2.7 TCP three-way handshake
Figure 2.8 TCP sequencing
Figure 2.9 Residential network setup
Figure 2.10 Typical enterprise network
Chapter 3
Figure 3.1 The Rosetta stone
Figure 3.2 Symmetric encryption

Figure 3.3 Asymmetric encryption
Figure 3.4 A digital signature in use
Figure 3.5 The PKI ecosystem
Figure 3.6 Hash generated from “Hello World” using MD5
Chapter 4
Figure 4.1 Google Earth
Figure 4.2 Cameras found by doing a Google hack
Figure 4.3 Instagram
Figure 4.4 The Echosec service
Chapter 5
Figure 5.1 The three-way handshake
Figure 5.2 Half-open scan against closed and open ports


Figure 5.3 Xmas tree scan
Figure 5.4 An FIN scan against a closed port and an open port
Figure 5.5 A NULL scan against a closed and an open port
Figure 5.6 Results of a banner grab
Figure 5.7 A network map built by a network-mapping software package
Chapter 8
Figure 8.1 JPS Virus Maker user interface
Figure 8.2 TCPView interface
Chapter 9
Figure 9.1 TCP three-way handshake packet
Figure 9.2 Macof MAC flood
Figure 9.3 Cain & Abel
Chapter 11
Figure 11.1 Basic program stack
Figure 11.2 Smashing the stack
Figure 11.3 DDoS attack setup

Chapter 12
Figure 12.1 Session hijack
Figure 12.2 Active attack
Figure 12.3 Passive attack
Figure 12.4 Spoofing
Figure 12.5 Source routing
Figure 12.6 Desynchronizing a connection
Figure 12.7 TCP three-way handshake
Figure 12.8 MITM attack
Chapter 15
Figure 15.1 A Yagi antenna
Figure 15.2 A parabolic antenna
Chapter 19
Figure 19.1 A drive degausser
Figure 19.2 A mantrap installed in a lobby


Figure 19.3 One kind of cipher lock
Figure 19.4 Lock-picking tools


List of Exercises
Chapter 2
Exercise 2.1
Chapter 3
Exercise 3.1
Chapter 4
Exercise 4.1
Exercise 4.2
Exercise 4.3

Exercise 4.4
Exercise 4.5
Chapter 5
Exercise 5.1
Chapter 6
Exercise 6.1
Exercise 6.2
Exercise 6.3
Chapter 7
Exercise 7.1
Exercise 7.2
Exercise 7.3
Exercise 7.4
Exercise 7.5
Exercise 7.6
Exercise 7.7
Chapter 8
Exercise 8.1
Exercise 8.2
Exercise 8.3
Chapter 9


Exercise 9.1
Exercise 9.2
Exercise 9.3
Chapter 11
Exercise 11.1
Exercise 11.2
Exercise 11.3

Exercise 11.4
Chapter 12
Exercise 12.1
Exercise 12.2
Exercise 12.3
Chapter 13
Exercise 13.1
Exercise 13.2
Exercise 13.3
Exercise 13.4
Chapter 15
Exercise 15.1
Exercise 15.2
Chapter 16
Exercise 16.1
Chapter 17
Exercise 17.1