Certified Ethical Hacker(CEH) Version 9Cert GuideSecond EditionMichael Gregg800 East 96th StreetIndianapolis, Indiana 46240 USA9780789756916 book.indb i3/12/17 10:14 AM

Certified Ethical Hacker (CEH) Version 9 Cert Guide,Second EditionEditor-in-ChiefMark TaubCopyright 2017 by Pearson Education, Inc.Product Line ManagerBrett BartowAll rights reserved. No part of this book shall be reproduced, stored ina retrieval system, or transmitted by any means, electronic, mechanical,photocopying, recording, or otherwise, without written permission fromthe publisher. No patent liability is assumed with respect to the use ofthe information contained herein. Although every precaution has beentaken in the preparation of this book, the publisher and author assumeno responsibility for errors or omissions. Nor is any liability assumed fordamages resulting from the use of the information contained herein.ISBN-13: 978-0-7897-5691-6ISBN-10: 0-7897-5691-9Library of Congress Control Number: 2017932316Printed in the United States of AmericaFirst Printing: April 2017TrademarksAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certificationcannot attest to the accuracy of this information. Use of a term in thisbook should not be regarded as affecting the validity of any trademark orservice mark.Acquisitions EditorMichelle NewcombDevelopment EditorEllie C. BruManaging EditorSandra SchroederSenior Project EditorTonya SimpsonCopy EditorBill McManusIndexerKen JohnsonProofreaderGill Editorial ServicesTechnical EditorBrock PearsonWarning and DisclaimerEvery effort has been made to make this book as complete and as accurateas possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neitherliability nor responsibility to any person or entity with respect to any lossor damages arising from the information contained in this book.Special SalesPublishing CoordinatorVanessa EvansCover DesignerChuti PrasertsithCompositorStudio GalouFor information about buying this title in bulk quantities, or for specialsales opportunities (which may include electronic versions; custom coverdesigns; and content particular to your business, training goals, marketingfocus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419.For government sales inquiries, please [email protected] questions about sales outside the U.S., please [email protected] book.indb ii3/12/17 10:14 AM

Contents at a GlanceIntroduction xxiCHAPTER 1An Introduction to Ethical Hacking3CHAPTER 2The Technical Foundations of HackingCHAPTER 3Footprinting and ScanningCHAPTER 4Enumeration and System HackingCHAPTER 5Malware Threats 195CHAPTER 6Sniffers, Session Hijacking, and Denial of ServiceCHAPTER 7Web Server Hacking, Web Applications, and Database AttacksCHAPTER 8Wireless Technologies, Mobile Security, and AttacksCHAPTER 9IDS, Firewalls, and HoneypotsCHAPTER 10Physical Security and Social EngineeringCHAPTER 11Cryptographic Attacks and DefensesCHAPTER 12Cloud Computing and BotnetsCHAPTER 13Final Preparation4587149249299355397441481525545Glossary 549Index 573Online Content:GlossaryAPPENDIX A: Answers to the “Do I Know This Already?” Quizzes and ReviewQuestionsAPPENDIX B: Memory TablesAPPENDIX C: Memory Tables Answer Key9780789756916 book.indb iii3/12/17 10:14 AM

ivCertified Ethical Hacker (CEH) Version 9 Cert GuideContentsIntroductionChapter 1xxiAn Introduction to Ethical Hacking 3“Do I Know This Already?” Quiz 3Foundation Topics 6Security Fundamentals 6Goals of Security 6Risk, Assets, Threats, and Vulnerabilities 8Backing Up Data to Reduce Risk 11Defining an Exploit 11Risk Assessment 12Security Testing 13No-Knowledge Tests (Black Box) 13Full-Knowledge Testing (White Box) 14Partial-Knowledge Testing (Gray Box) 14Types of Security Tests 14Hacker and Cracker Descriptions 16Who Attackers Are 18Ethical Hackers 19Required Skills of an Ethical Hacker 20Modes of Ethical Hacking 21Test Plans—Keeping It Legal 24Test Phases 25Establishing Goals 26Getting Approval 27Ethical Hacking Report 28Vulnerability Research—Keeping Up with Changes 29Ethics and Legality 29Overview of U.S. Federal Laws 30Compliance Regulations 33Payment Card Industry Data Security Standard (PCI-DSS) 34Summary35Exam Preparation Tasks 35Review All Key Topics 369780789756916 book.indb iv3/12/17 10:14 AM

ContentsvDefine Key Terms 36Hands-On Labs 36Lab 1-1 Examining Security Policies 37Review Questions 37Suggested Reading and Resources 42Chapter 2The Technical Foundations of Hacking 45“Do I Know This Already?” Quiz 45Foundation Topics 48The Attacker’s Process 48Performing Reconnaissance and Footprinting 48Scanning and Enumeration 49Gaining Access 50Escalation of Privilege 51Maintaining Access 51Covering Tracks and Planting Backdoors 51The Ethical Hacker’s Process 52NIST SP 800-15 53Operationally Critical Threat, Asset, and Vulnerability Evaluation 53Open Source Security Testing Methodology Manual 54Security and the Stack 54The OSI Model 54Anatomy of TCP/IP Protocols 57The Application Layer 59The Transport Layer 63The Internet Layer 66The Network Access Layer 75Summary76Exam Preparation Tasks 77Review All Key Topics 77Complete the Tables from Memory 77Define Key Terms 78Exercises 782.1 Install a Sniffer and Perform Packet Captures 782.2 List the Protocols, Applications, and Services Found at Each Layer ofthe Stack 799780789756916 book.indb v3/12/17 10:14 AM

viCertified Ethical Hacker (CEH) Version 9 Cert GuideReview Questions 80Suggested Reading and Resources 84Chapter 3Footprinting and Scanning 87“Do I Know This Already?” Quiz 87Foundation Topics 90Overview of the Seven-Step Information-Gathering Process 90Information Gathering 90Documentation 91The Organization’s Website 91Job Boards 93Employee and People Searches 94EDGAR Database 97Google Hacking 98Usenet103Registrar Query 104DNS Enumeration 107Determining the Network Range 112Traceroute113Identifying Active Machines 115Finding Open Ports and Access Points 116Nmap123SuperScan 127THC-AmapHping127128Port Knocking 128War Driving 129OS Fingerprinting 129Active Fingerprinting Tools 131Fingerprinting Services 133Default Ports and Services 133Finding Open Services 133Mapping the Network Attack Surface 135Manual Mapping 135Automated Mapping 1369780789756916 book.indb vi3/12/17 10:14 AM

ContentsSummaryvii137Exam Preparation Tasks 138Review All Key Topics 138Define Key Terms 138Complete the Tables from Memory 139Command Reference to Check Your Memory 139Exercises 1403.1 Performing Passive Reconnaissance 1403.2 Performing Active Reconnaissance 141Review Questions 142Suggested Reading and Resources 147Chapter 4Enumeration and System Hacking149“Do I Know This Already?” Quiz 149Foundation Topics 152Enumeration152Windows Enumeration 152Windows Security 155NetBIOS and LDAP Enumeration 155NetBIOS Enumeration Tools 158SNMP Enumeration 160Linux/UNIX Enumeration 161NTP Enumeration 162SMTP Enumeration 163DNS Enumeration 163System Hacking 164Nontechnical Password Attacks 164Technical Password Attacks 164Password Guessing 165Automated Password Guessing 167Password Sniffing 167Keylogging168Privilege Escalation and Exploiting Vulnerabilities 169Exploiting an Application 170Exploiting a Buffer Overflow 1709780789756916 book.indb vii3/12/17 10:14 AM

viiiCertified Ethical Hacker (CEH) Version 9 Cert GuideOwning the Box 172Windows Authentication Types 173Cracking Windows Passwords 175Linux Authentication and Passwords 177Cracking Linux Passwords 180Hiding Files and Covering Tracks 181Rootkits182File Hiding 184Summary185Exam Preparation Tasks 186Review All Key Topics 186Define Key Terms 187Complete the Tables from Memory 187Command Reference to Check Your Memory 187Exercise 1884.1 NTFS File Streaming 188Review Questions 189Suggested Reading and Resources 193Chapter 5Malware Threats 195“Do I Know This Already?” Quiz 195Foundation Topics 197Viruses and Worms 197Types and Transmission Methods of Viruses 198Virus Payloads 200History of Viruses 201Well-Known Viruses 202Virus Tools 204Trojans205Trojan Types 205Trojan Ports and Communication Methods 206Trojan Goals 208Trojan Infection Mechanisms 208Effects of Trojans 2109780789756916 book.indb viii3/12/17 10:14 AM

ContentsixTrojan Tools 210Distributing Trojans 213Covert Communication 217Tunneling via the Internet Layer 218Tunneling via the Transport Layer 220Tunneling via the Application Layer 221Port Redirection 223Keystroke Logging and Spyware 225Hardware Keyloggers 226Software Keyloggers 226Spyware 227Malware Countermeasures 228Detecting Malware 228Antivirus231Analyzing Malware 234Static Analysis 234Dynamic Analysis 236Summary239Exam Preparation Tasks 239Review All Key Topics 240Define Key Terms 240Command Reference to Check Your Memory 240Exercises 2415.1Finding Malicious Programs5.2Using Process Explorer241242Review Questions 243Suggested Reading and Resources 247Chapter 6Sniffers, Session Hijacking, and Denial of Service 249“Do I Know This Already?” Quiz 249Foundation Topics 252Sniffers252Passive Sniffing 253Active Sniffing 2539780789756916 book.indb ix3/12/17 10:14 AM

xCertified Ethical Hacker (CEH) Version 9 Cert GuideAddress Resolution Protocol 254ARP Poisoning and MAC Flooding 255Tools for Sniffing 262Wireshark262Other Sniffing Tools 265Sniffing and Spoofing Countermeasures 266Session Hijacking 267Transport Layer Hijacking 267Identify and Find an Active Session 268Predict the Sequence Number 269Take One of the Parties Offline 270Take Control of the Session 270Application Layer Hijacking 271Session Sniffing 271Predictable Session Token ID 271Man-in-the-Middle Attacks 272Man-in-the-Browser Attacks 272Client-Side Attacks 272Session Replay Attacks274Session Fixation Attacks 274Session Hijacking Tools 274Preventing Session Hijacking 277Denial of Service and Distributed Denial of Service 278DoS Attack Techniques 280Bandwidth Attacks 280SYN Flood Attacks 281ICMP Attacks 281Peer-to-Peer Attacks 282Program- and Application-Level Attacks 282Permanent DoS Attacks 283Distributed Denial of Service 284DDoS Tools 285DoS and DDOS Countermeasures 2879780789756916 book.indb x3/12/17 10:14 AM

ContentsSummaryxi290Exam Preparation Tasks 291Review All Key Topics 291Define Key Terms 291Exercises 2926.1 Scanning for DDoS Programs 2926.2 Using SMAC to Spoof Your MAC Address 292Review Questions 293Suggested Reading and Resources 297Chapter 7Web Server Hacking, Web Applications, and Database Attacks 299“Do I Know This Already?” Quiz 299Foundation Topics 302Web Server Hacking 302Scanning Web Servers 304Banner Grabbing and Enumeration 304Web Server Vulnerability Identification 309Attacking the Web Server 309DoS/DDoS Attacks 310DNS Server Hijacking and DNS Amplification Attacks 310Directory Traversal 311Man-in-the-Middle Attacks 313Website Defacement 313Web Server Misconfiguration 313HTTP Response Splitting 314Web Server Password Cracking 314IIS Vulnerabilities 315Automated Exploit Tools 316Securing Web Servers 318Web Application Hacking 320Unvalidated Input 321Parameter/Form Tampering 321Injection Flaws 322Cross-Site Scripting and Cross-Site Request Forgery Attacks 3239780789756916 book.indb xi3/12/17 10:14 AM

xiiCertified Ethical Hacker (CEH) Version 9 Cert GuideHidden Field Attacks 325Other Web Application Attacks 326Attacking Web-Based Authentication 328Web-Based Password Cracking and Authentication Attacks 329Cookies 333URL Obfuscation 334Intercepting Web Traffic 335Securing Web Applications 337Database Hacking 339Identifying SQL Servers 340SQL Injection Vulnerabilities 341SQL Injection Hacking Tools 344Summary345Exam Preparation Tasks 346Review All Key Topics 346Exercise 3467.1 Review CVEs and Buffer Overflows 346Review Questions 347Suggested Reading and Resources 352Chapter 8Wireless Technologies, Mobile Security, and Attacks 355“Do I Know This Already?” Quiz 355Foundation Topics 358Wireless Technologies 358Wireless History 358Satellite TV 358Cordless Phones 359Mobile Device Operation and Security 360Mobile Device Concerns 362Mobile Device Platforms 363Android364iOS 366Windows PhoneBlackBerry367367Mobile Device Management and Protection 3689780789756916 book.indb xii3/12/17 10:14 AM

ContentsxiiiBluetooth 368Wireless LANs 370Wireless LAN Basics 370Wireless LAN Frequencies and Signaling 372Wireless LAN Security 373Wireless LAN Threats 376Eavesdropping378Configured as Open Authentication 378Rogue and Unauthorized Access Points 379Denial of Service (DoS) 380Wireless Hacking Tools 381Discover Wi-Fi Networks 381Perform GPS Mapping 383Wireless Traffic Analysis 383Launch Wireless Attacks 383Crack and Compromise the Wi-Fi Network 384Securing Wireless Networks 384Defense in Depth 384Site Survey 386Robust Wireless Authentication 388Misuse Detection 389Summary389Exam Preparation Tasks 390Review All Key Topics 390Define Key Terms 390Review Questions 391Suggested Reading and Resources 394Chapter 9IDS, Firewalls, and Honeypots 397“Do I Know This Already?” Quiz 397Foundation Topics 400Intrusion Detection Systems 400IDS Types and Components 400Pattern Matching and Anomaly Detection 403Snort9780789756916 book.indb xiii4043/12/17 10:14 AM

xivCertified Ethical Hacker (CEH) Version 9 Cert GuideIDS Evasion 407Flooding408Insertion and Evasion 408Session Splicing 408Shellcode Attacks 409Other IDS Evasion Techniques 409IDS Evasion Tools 411Firewalls412Firewall Types 412Network Address Translation 413Packet Filters 414Application and Circuit-Level Gateways 416Stateful Inspection 416Identifying Firewalls 417Bypassing Firewalls 421Honeypots 428Types of Honeypots 429Detecting Honeypots 430Summary431Exam Preparation Tasks 432Review All Key Topics 432Define Key Terms 432Review Questions 433Suggested Reading and Resources 437Chapter 10Physical Security and Social Engineering 441“Do I Know This Already?” Quiz 441Foundation T