Certified Ethical Hacking v10 Cheat Sheet
How to Use a Cheat Sheet
A cheat sheet is a comprehensive collection of the terms and concepts listed to trigger the memory mainly before an exam. Memorization is a difficult task when you have to cover loads of various concepts, and cheat sheets are used as handbooks to refer to when refreshing your memory regarding those concepts.
There is a difference between a cheat sheet and a proper study guide. A study guide covers all aspects of how you need to study in order to pass an exam. A cheat sheet on the other hand is a document that has short descriptions, meanings and basic pointers that help keep necessary terms and concepts on your fingertips.
The best use of a cheat sheet may be to read and recover the concepts already covered, and write it manually on a separate book, at least three times, so you no longer need a cheat sheet. When you start this exercise, remember to keep adding additional information around those listed concepts to make it easier to memorize.
5 Phases to a penetration test:
Scanning & Enumeration
OS: Attacks that target preset OS settings
App level: Attacks via application codes
Shrink Wrap: Exploiting unpatched code and scripts
Misconfiguration: configuration not carried well
18 U.S.C 1029 & 1030
RFC 1918 - Private IP Standard
RFC 3227 - Collecting and storing data
ISO 27002 - InfoSec Guidelines
CAN-SPAM - email marketing
SPY-Act - License Enforcement
DMCA - Intellectual Property
SOX - Corporate Finance Processes
GLBA - Personal Finance Data
FERPA - Education Records
FISMA - Gov Networks Security Std
CVSS - Common Vulnerability Scoring System
CVE - Common Vulnerabilities and Exposure
First in ethical hacking, it involves information gathering on targets. Foot-printing is a type of reconnaissance and involves mapping out at a high level.
operator: keyword additional search items
site: Search only within domain
ext: File Extension
loc: Maps Location
intitle: keywords in title tag of page
allintitle: Title can have any keywords
inurl: Url can have keywords anywhere
allinurl: Url can have any of the keywords incache: Search only in Google cache
Port 53 nslookup (UDP), Zone xfer (TCP)
DNS record types
Service (SRV): hostname & port number of servers
Start of Authority (SOA): Primary name server Pointer (PTR): IP to Hostname; for reverse DNS Name Server (NS): NameServers with namespace
Mail Exchange (MX): E-mail servers
CNAME: Aliases in zone. List multi services in DNS
Address (A): IP to Hostname; for DNS lookup DNS footprinting: whois, nslookup, dig
TCP Header Flags
URG: This indicates the data when sent out of band
ACK: Ack to, and after SYN
PSH: Forces delivery without concern for buffering
RST: Forces communications termination in both directions
SYN: Initial communications Parameters and sequence numbers
FIN: ordered close to communications
Client —Discovers--> Server
Client ßOffers à Server
Client …. Request …> Server
Client <…Ack…> Server
IP is removed from pool
Key pairs required =
DES: 56bit key (8bit parity); fixed block
3DES: 168bit key; keys ≤ 3
AES: 128, 192, or 256; replaced DES
IDEA: 128 bit key
Twofish: Block cipher key size ≤ 256bit
Blowfish: Rep. by AES; 64bit block
RC: incl. RC2→RC6. 2,040key, RC6 (128bit block)
Public Key equals to Encrypt
Private Key equals to Decrypt
Diffie-Hellman: Key Exchange, used in SSL/IPSec
ECC: Elliptical Curve. Low process power/Mobile
El Gamal: != Primes, log problems to encrypt/sign
RSA: 2 x Prime 4,096bit. Modern std.
MD5: 128bit hash, expres as 32bit hex
SHA1: 160bit hash. Required for use in US applications
SHA2: For separate hash 224, 256, 384, 512
Web of trust: Where certificates are signed by entities
Single Authority: Trust is based on CA and he is on the top
Hierarchical: CA at top. RA’s under to manage certs
XMKS - XML PKI System
Known Plain-text: Search plaintext for repeatable sequences. Compare to t versions. Ciphertext-only: Obtain several messages with same algorithm. Analyze to reveal repeating code.
Replay: Performed in MITM. System is fooled by repeating exchange in setting up a communication channels.
It is used when user identity needs to be verified = nonrepudiation
Format is identified by the version
Serial: Unique to each certificate, helps in identifying it.
Subject: Whoever/whatever being identified by certificate
Algorithm ID: Algorithm used
Issuer: Entity that verifies authenticity of certificate
Valid from/to: start and end dates that certificate is valid through
Key usage: Displays the purpose of certificate
Subject’s Public Key: self-explanatory
Optional fields: for example Issuer ID, Alt, Subject, Name etcetera
Scanning & Enumeration
ICMP Message Types
0: Echo Reply: Answer to Type 8 Echo Request
3: Destination Unreachable: No host/ network Codes
0 – Destination network unreachable
1 – Destination host unreachable
6 – Network unknown
7 – Host unknown
9 – Network administratively prohibited
10 – Host administratively prohibited
13 – Communication administratively prohibited
4: Source Quench: Congestion control message
5: Redirect: 2+ gateways for sender to use or the best route not the configured default gateway
0 – Redirect datagram for the network
1 – Redirect datagram for the host
8: Echo Request: Ping message requesting echo
11: Time Exceeded: Packet too long to be routed
Method of representing IP Addresses
/30 = 4 .255.252
/28 = 16 .255.240
/26 = 64 .255.192
/24 = 256 .255.0
/22 = 1024 .248.0
/20 = 4096 .240.0
0 – 1023: Well-known
1024 – 49151: Registered
49152 – 65535: Dynamic
Important Port Numbers
HTTP: 80 / 8080
Portmapper (Linux): 111
Printer: 515, 631, 9100
Back Orifice: 27374
HTTP Error Codes
200 Series - OK
400 Series - Could not provide request
500 Series - Could not process request
Nmap is the de-facto tool for this pen-test phase
-sA: ACK scan
-sF: FIN scan
-sT: TCP scan
-sI: IDLS scan
-sn: PING sweep
-sS: Stealth Scan
-sR: RPC scan
-Po: No ping
-sX: XMAS tree scan
-PI: ICMP ping
-PS: SYN ping
-PT: TCP ping
-oN: Normal output
-oX: XML output
-A OS/Vers/Script -T<0-4>: Slow - Fast
TCP: 3 way handshake on all ports.
*Open = SYN/ACK, Closed = RST/ACK
SYN: SYN packets to ports (incomplete handshake).
*Open = SYN/ACK, Closed = RST/ACK
FIN: Packet with FIN flag set.
*Open = no response, Closed = RST
XMAS: Multiple flags are set. For example (PSH, FIN and URG) Binary Header: 00101001
*Open = no response, Closed = RST
ACK: Used for Linux/Unix systems
*Open = RST, Closed = no response
IDLE: It means a Spoofed IP, and SYN flag is designed for stealth.
*Open = SYN/ACK, Closed = RST/ACK
NULL: No flags set. Responses vary by OS.
These scans are designed specifically for Linux/ Unix machines.
nbtstat -a COMPUTER190
nbtstat -A 192.168.10.12 remote table
nbtstat -n local name table
nbstat -c local name cache
nbtstat -r -purge name cache
nbtstat -S 10 which means ses stats are displayed every 10 seconds
1B == master browser for the subnet
1C == domain controller
1D == domain master browser
Uses a community string for PW SNMPv3 encrypts the community strings.
Sniffing and Evasion
IPv4 and IPv6
IPv4 == unicast, multicast, and broadcast
IPv6 == unicast, multicast, and anycast.
Both unicast and multicast in IPv6 include site local, link local and global.
First half is 3 bytes (24bits) = Original UID
Second half = unique number
NAT (Network Address Translation)
Basic NAT is a one-to-one mapping where each internal IP is equal to a unique public IP.
NAT Overload (PAT) is equal to a port address translation. Typically used as the cheaper option.
It is concerned with the connections and doesn't sniff every packet. It only verifies if it is a known connection, and then passes it along.
It is the crafting of wrapped segments through a port rarely filtered by the Firewall (e.g., 80) to carry payloads that may otherwise be blocked.
It has 3 modes
Packet Sniffer: Reads IP Packets shows on the console
Packet logger: Logs IP Packets
Network IDS: Inspects IP packets using rulesets
Span port: port mirroring
False Negative: Occurs when IDS (Snort in this case) incorrectly reports stream clean
IDS Evasion Tactics
Slow down the network
Flooding the network to sneak through in the mix without an alarm or getting caught
Attacking a System
C|EH Password Rules
Should not have user’s name in the password. Minimum of 8 characters are a must.
At least three out of four complexity components like Special characters, Numbers, Uppercase, Lowercase must be used.
7 spaces hashed: AAD3B435B51404EE
Passive Online: Sniffing wire that intercepts replay, cleartext password or MITM
Active Online: Password guessing
Offline: Steal copy of Password, also called the SAM file. Uses a separate system to make cracking efforts
Non-electronic: Social Engineering
Target and steal the cookies exchanged between systems and perform a replay style attack using them.
Type 1: When you know something
Type 2: When you have something
Type 3: When you are something
When an attempt is made to steal a whole established session
1. Targeting and sniffing traffic between client and server
2. Traffic monitoring and predicting sequence
3. Desynchronize session with client
4. Take over session by predicting session token
5. Inject packets to the target server
It uses both symmetric and asymmetric encryption technologies and involves:
KDC: Key Distribution Centre
AS: Authentication Service
TGS: Ticket Granting Service
TGT: Ticket Granting Ticket
1. Client approaches KDC (who has AS and TGS) for ticket to authenticate throughout the network. This request is in clear text.
2. A secret key is server’s response, and it is hashed by the password copy that is kept on AD server.
3. TGT is then sent back to server and requests TGS if decrypted by the user.
4. Client can log on and access network resources as aresponse is generated by server with a ticket
Registry setting is made by two elements: a key that points to a location, and a value that defines key setting.
Here are the root level keys: HKEY_LOCAL_MACHINE – Hard/software information
HKEY_CLASSES_ROOT – File associations, Object Linking and Embedding classes information HKEY_CURRENT_USER – Profile info on current user
HKEY_USERS –Information of user config for all users that are active
HKEY_CURRENT_CONFIG – pointer to \hardware Profiles\
Human based attacks
Tailgating or Piggybacking
Computer based attacks
Phishing – Scamming via emails
Whaling – Where CEO’s are targeted
Pharming - Twin websites for misleading
Types of Social Engineers
Insider Associates: Employees who have limited authorized access
Insider Affiliates: Insiders who have some affiliation and can spoof the identity of the Insider
Outsider Affiliates: Outsider who use a weak and vulnerable access point
3 major categories of Physical Security Measures
Physical measures: include all things that you can touch, taste and smell
Technical measures: Include all things technical like smart cards and biometrics
Operational measures: Include policies and procedures designed to maintain physical security
CSRF - Cross Site Request Forgery
It is a different kind of Unicode, also understood to be an un-validated input attack
Start your 30-day FREE TRIAL with QuickStart.com and begin your CEH certification journey today!
SQL Injection attack types
Union Query: It uses the UNION command and returns the target Db union with a crafted Db Tautology: It is a term used to explain a Db’s behavior while deciding if a statement is correct.
Blind SQL Injection:
Called blind because it is a trial and error methodology that gives no responses.
Error based SQL injection:
An enumeration technique where poorly constructed commands are injected so Db can show table names and other relevant information.
Occurs when data written to a buffer exceeds from its designated storage space. Data corruption is the result. It is caused by a bug, or by insufficient bounds checking, or a program code configured poorly.
Dangerous SQL functions
Wireless Network Hacking
Similar to sniffling wire, it requires a compatible wireless adapter having promiscuous mode 802.11 Specifications
WEP: RC4 with 24bit vector. With 40bit or 104bit keys
WPA: RC4 supports longer keys; 48bit IV WPA/TKIP: Changes IV each frame and key mixing
WPA2: AES + TKIP features; 48bit IV
Bluesmacking: DoS against a device
Bluejacking: Includes messages sent to/from devices
Bluesniffing: Involves sniffing for Bluetooth
Bluesnarfing: Stealing data from a device via Bluetooth
Trojans and Other Attacks
Boot: Impossible to remove, it moves boot sector to a different location.
Camo: Named after camouflage, it disguises itself as legit files.
Cavity: Like in teeth, it finds empty areas in exe to hide.
Macro: it is written in Macro Language of MS Office
Multipartite: Makes attempts to boot sector and infect files simultaneously.
Metamorphic virus: When infecting a new file, it rewrites itself.
Network: Spreads with the help of shared networks.
Polymorphic Code virus: Uses built-in polymorphic engine to encrypt itself. Hard to detect due to constantly changing signature. Shell virus: Runs at the start of an application, it is wrapped around the application code
Stealth: Copies itself to deliver payload and hides itself in files.
SYN Attack: Thousands of SYN packets are sent containing a false IP address to trigger target attempt with SYN/ACK response. As a result, all machine resources get engaged.
SYN Flood: Thousands of SYN packets are sent but none of the returned SYN/ACK packets are responded, with an intention to have target run out of available connections.
ICMP Flood: ICMP Echo packets are sent containing fake source address with intention to have target attempt to respond. As a result, the target reaches a limit of packets sent per second.
Application level: Morph the attack requests and mimic flash crowds, sending legitimate heavy traffic to a web application
Smurf: Involves large number of pings sent to the subnet’s broadcast address. Source IP is spoofed to the target and ping responses are sent to target by Subnet.
Fraggle Attack: Uses UDP, but otherwise similar to Smurf.
Ping of Death: ICMP message is fragmented and send to target. On target’s end, the ICMP fragments that are reassembled result in ICMP packet to be larger than the max size crashing the system.
Heartbleed is a bug which allows attacker to read memory of systems that are protected by vulnerable versions in OpenSSL software. It leads MITM to alter communication and steal information protected under normal conditions by SSL/TLS encryption.
Padding Oracle on Downgraded Legacy Encryption, it targets obsolete SSLv3 protocol. Shellshock:
Empowers those without permission to executes commands and codes inside the ‘ ‘ by exploiting a vulnerability. Also known as privilege escalation vulnerability.
ILOVEYOU: Originated in the Philippines, it is a worm that uses emails and put I Love you in the subject, presenting itself as a love letter. Most well-known and extremely notorious
MELISSA: Email virus, also classified as mass-mailing virus that targeted MS applications like Word and Outlook
Linux File System
/var -Variable Data / Log Files
/bin -Binaries / User Commands
/sbin -Sys Binaries / Admin Commands
/root -Home dir for root user
/boot -Stores kernel
/proc -Direct access to kernel
/dev -Hardware storage devices
/mnt -Mount devices
Identifying Users and Processes
INIT process ID 1
Root UID, GID 0
Accounts of Services 1-999
All other users Above 1000
4 - Read
2 - Write
1 - Execute
764 - User>RWX, Grp>RW, Other>R
Action protocol address port -> address port (option:value; option:value)
Alert tcp 10.0.0.1 25 -> 10.0.0.2 25 (msg:”Sample Alert”; sid:1000;)
Command Line Tools
nmap -sT -T5 -n -p 1-100 10.0.0.1
nc -v -z -w 2 10.0.0.1
tcpdump -i eth0 -v -X ip proto 1
snort -vde -c my.rules 1
hping3 -I -eth0 -c 10 -a 220.127.116.11 -t 100 10.0.0.1
iptables -A FORWARD -j ACCEPT -p tcp —dport 80
Tools of Trade
National Vuln Db
Website Research Tools
DNS and Whois Tools
Scanning and Enumeration
Angry IP Scanner
NetScan Tools Pro
Proxy, Anonymizer, and Tunneling
System Hacking Tools
John the Ripper
Keyloggers and Screen Capture
All In One Keylogger
Password Recovery Boot Disk
Remote Desktop Spy
Cryptography and Encryption
Wireless Security Auditor
Mobile Device Tracking
Wheres My Droid
Find My Phone
Trojans and Malware
SQL Injection Brute