book

Certified Ethical Hacker (CEH) v12 312-50 Exam Guide

by Dale Meredith

July 2022

Intermediate to advanced

664 pages

15h 56m

English

Packt Publishing

Read now

Unlock full access

ForewordContributorsAbout the authorAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare Your Thoughts
The benefits of the CEH certificationIs the CEH certification right for you?The requirements and the skills you need to become a CEHEthical hacking What is information security?An overview of information securityThe CIA triadTypes of cyberattacksThe technology triangleTypes of hackersHacking phasesThe purpose/goal of cyberattacksThe Cyber Kill Chain – understanding attackers and their methodsTactics, techniques, and proceduresAdversary behavior identificationIndicators of compromiseInformation security controlsEnter ethical hackingThe importance of ethical hackingUnderstanding defense-in-depth strategiesInformation security laws and standardsPayment Card Industry Data Security StandardISO, IEC 2701 2013 Health Insurance Portability and Accountability Act Privacy rulesSecurity rule National identifierEnforcement rule The Sarbanes-Oxley (SOX) Act The Digital Millennium Copyright ActFederal Information Security Management ActGeneral Data Protection RegulationThe Data Protection Act 2018 SummaryQuestions
Overview of reconnaissanceTypes of reconnaissanceGoals of reconOverview of the tools of reconSearch enginesLet's start with the basicsGoogle hackingGoogle operatorsUsing Google operatorsGoogle Hacking DatabaseOther Google hacking toolsUsing WHOISUsing ping and DNSSummaryQuestions
Investigating the target's websiteAdvanced DNS tricksNetcraft The Wayback MachineWhat organizations give away for free Job sitesMarketing and customer supportFinancial and competitive analysis dataEmployees – the weakest linkFacebookLinkedInResearching peopleSocial engineering You've got mail = I've got you!Reconnaissance countermeasuresCountermeasuresSummaryQuestions
Grasping scanningTypes of scanningWhat's the goal?What techniques are used?Tools used for scanningUnderstanding the three-way handshakeTCP and UDP communicationsChecking for live systems and their portsICMP sweep/ping sweep Port scanning What's firewalking?Mobile apps that helpScanning by thinking outside the boxFull scansHalf-open scanXmas scansFIN scansNULL scansUDP scansIdle scansListing scanningSSDP scanningCountermeasuresMore IDS evasion methodsBanner grabbing and OS fingerprintingOS fingerprintingCountermeasuresVulnerability scanning and drawing out the networkWhat is vulnerability scanning?Types of scannersHow does vulnerability scanning work?Vulnerability scanning toolsAfter scanningWhy draw out the network?Preparing proxies and other anonymizing techniquesWhat is a proxy?How to use a proxy Proxy o'plentyHTTP tunnelingAnonymizersSummaryQuestions
What is enumeration?Some of my favorite enumeration weak pointsPorts and services to know aboutEnumerating via defaultsNetBIOS enumerationEnumerating using SNMPEnumerating via LDAPUnderstanding LDAPClassesWhat can we learn from LDAP?Network Time ProtocolEnumerating using SMTPThe golden ticket – DNSReverse lookupsZone transfersDNS recordsSum it upOh wait, there's more!IPsecVoIP enumerationEnumerating with Remote Procedure Call (RPC)The countermeasuresDefaults and NetBIOSSNMPLDAPNetwork Time Protocol (NTP) Simple Mail Transfer Protocol (SMTP) DNSSummaryQuestions
Vulnerability analysis – where to startVulnerability classificationsThe benefits of a vulnerability management program (VMP)Vulnerability assessments Types of vulnerability assessments The vulnerability life cycleTypes of vulnerability assessment solutionsCorporate policies and regulationsThe scope of scanning Scanning frequencyTypes of scansScanner maintenanceClassifying dataDocument managementOngoing scanning and monitoringUnderstanding which scanner you should use The difference between open source and commercial scanners On-premises versus the cloud Security Content Automation Protocol (SCAP)Exploit scannersCommon Vulnerability Scoring System (CVSS) TrendsSummaryQuestions
Understanding our objectivesThe five phasesPhase 1 – Gaining access and cracking passwordsWhat's cracking?ComplexityPassword architectureMethods for cracking/password hackingTypes of attacksAuthentication methods designed to helpOther cracking methodsPhase 2 – Escalating privilegesWe've made it in. What now?CountermeasuresTypes of escalationsOther Windows issuesScheduled tasksApple issuesLinux issuesWeb shellsBuffer overflowsDenial of servicePhase 3 – Maintaining access and executing applicationsSpyware and backdoorsTypes of spyware More about backdoorsPhase 4 – Maintaining access and hiding your toolsRootkitsHorse Pill Alternate Data Streams Detecting rootkitsSteganographyPhase 5 – Covering your tracks – Clearing logs and evidenceBasic method – Five things to doAdvanced methodsSummaryQuestions

Understanding social engineeringSocial engineering's most common victimsThe effects of a social engineering attack on a company Attack-vulnerable behaviorsFactors that predispose businesses to attacksWhat makes social engineering work?Social engineering's attack phasesSocial engineering methodsPeople-based social engineering Computer-based social engineeringMobile-based social engineering Threats from withinReasons for insider attacksDifferent kinds of insider threatsWhy are insider attacks so successful?Insider threat behavioral signsImpersonation on social networking sitesThreats to corporate networks from social mediaIdentity theftDifferent kinds of identity theftIdentity theft warning signsCountermeasuresCountermeasures against social engineeringPolicies for passwordsPolicies concerning physical securityPlanning for defenseDiscovering insider threatsCountermeasures against insider threatsCountermeasures against identity theftCountermeasures against phishingSummaryQuestionsFurther reading
So, what is malware? What's the purpose of malware?Types of malwareThe life cycle of malware Phase 1 – Infection phasePhase 2 – Attack phasePhase 3 – CamouflageHow is malware injected into a target system?Advanced persistent threats What is a Trojan?Types of TrojansCommon TrojansSo, what's the difference?Trojan creators' goalsHow Trojans communicate and hide Symptoms of Trojan infectionHow to infect a target with a TrojanHow do Trojans get into our systems? How Trojans avoid being picked up by antivirusViruses and wormsTypes of viruses and worms Why a virus and signs you've got oneSigns of infection Deployment of viruses Investigation of malware Tools in our utility belt DoS threatsDistributed DoS (DDoS) attackBotnetsMitigation strategiesSession-hijacking threatsPreventing session hijackingMaster list of countermeasures AntivirusCreating a security policyWatching the downloadUpdating your softwareUpdating applicationsAttachment issues Legitimate sourceKeeping informedAntivirusChecking your mediaWatching your popupsChat files Firewall and UAC SummaryQuestions
What is sniffing?Sniffing dangersTypes of sniffingSpoofing attacksDHCP starvation attackDHCP server attack MAC flooding attack DNS poisoningARP poisoningPassword sniffing Switch-port stealing technique Hardware versus software sniffingSniffing mobile appsDHCP assaults DHCP starvation attacksGoing rogueCountermeasuresMAC attacksCAMFloodingCountermeasuresARP poisoningARP spoofingHow to poison the network via ARPIRDP attacksDangers of ARP attacksCountermeasuresDNS poisoningIntranet poisoningInternet poisoningProxy server poisoningPoisoning the cacheDetecting sniffing methodsVarious techniques to detect sniffing attacksSniffing attacks countermeasuresEvading IDSSo, how do hackers evade IDSs?Moving around firewalls Bastion hostScreened subnet (or demilitarized zone (DMZ))Multi-homed firewall Software firewallsHardware firewallsApplication proxyA few techniques to evade firewallsHoneypotsDetecting a honeypotHoneypot toolsSummaryQuestions
The wireless network and its typesFrequency hopping spread spectrum Direct sequence spread spectrumBasic service set identifierSSIDGlobal System for Mobile CommunicationsHotspotAssociationMIMO-OFDMThe disadvantages of Wi-FiThe advantages of Wi-Fi Types of Wi-Fi networks Different Wi-Fi technologiesWi-Fi authentication modesChalking – ways to identify Wi-Fi networksAntenna typesThe right encryption can helpWEP encryptionWi-Fi Protected Access WPA2WPA3Weak initialization vectors Security measuresA plethora of attack vectors Access control attacksIntegrity attacksConfidentiality attacksAvailability attacksAuthentication attacksAttacks on the APsAttacks on clients Methodology of wireless hackingStep 1: Wi-Fi discoveryStep 2: Wireless traffic analysisStep 3: In-depth reconnaissanceStep 4: Launching the attackStep 5: Cracking the encryptionHacking Bluetooth More about Bluetooth Countermeasures for BluetoothThe six layers of wire security Countermeasures Disable SSID broadcastingDisable remote login and wireless administration to the deviceEnable MAC filtering Update drivers on Wi-Fi devicesCreate a centralized authentication serverSecure Wi-Fi devicesBest practices for the SSID settingsSummaryQuestions
Vulnerabilities in mobile environmentsOWASP's Top 10 risks for mobile devicesHacking AndroidAndroid securityHacking techniquesLocking down Android devicesHacking iOSThe Apple architectureJailbreaking Mobile device managementGuidelines and cool tools SummaryQuestions
Why web servers create security issuesComponents of a web serverTypes of architectureWhy are web servers compromised?Adding web appsThreats to both servers and applicationsWeb server attacksAuthorization attacksWeb application attacksThe vulnerabilities of web APIs, web shells, and webhooksWeb APIsWeb shellsWebhooksDetecting web server hacking attemptsWeb application security testingSummaryQuestions
Understanding IoTHow does it all work?The architecture of IoTProtocols and technologiesOperating systems for IoTThe challenges that IoT presentsPhysical issuesIoT hackingTypes of IoT attacksMethods used for IoTReconnaissanceVulnerability scanningLaunching attacksGaining and maintaining remote accessCountermeasures to protect IoT devicesOT and methods used to hack itHacking OT – a threat to critical infrastructureIntroduction to industrial control systems (ICSs)SummaryQuestions
Living on Cloud 9Cloud computing modelsSeparation of responsibilities in cloud computingDeployment modelsContainer technologyCloud storage architectureCloud storage servicesNIST cloud deployment reference architectureAttacking the cloudCloud securityContainer vulnerabilitiesTools and techniques of the attackersThe tools Best practices for securing the cloudSummaryQuestions
Understanding cryptographyWhy use cryptology?Types of cryptographyLearning about ciphersUsing other algorithmsStandards and protocolsDSA RSAHashesMessage digestCiphers designed for messagesPKI made simpleSSL and TLSCountermeasures for cryptographySummaryQuestions
Exam questionsAnswer key
Chapter 1 – Understanding Ethical HackingChapter 2 – Introduction to ReconnaissanceChapter 3 – Reconnaissance – a Deeper DiveChapter 4 – Scanning NetworksChapter 5 – EnumerationChapter 6 – Vulnerability AnalysisChapter 7 – System HackingChapter 8 – Social EngineeringChapter 9 – Malware and Other Digital AttacksChapter 10 – Sniffing and Evading IDS, Firewalls, and HoneypotsChapter 11 – Hacking Wireless NetworksChapter 12 – Hacking Mobile PlatformsChapter 13 – Hacking Web Servers and Web AppsChapter 14 – Hacking IoT and OTChapter 15 – Cloud ComputingChapter 16 – Using Cryptography
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from Certified Ethical Hacker (CEH) v12 312-50 Exam Guide

Chapter 5: Enumeration

Enumeration is interesting. It does something that we typically don't want to happen. It makes systems behave abnormally or in a way that we wouldn't expect them to. Steve Wozniak, one of Apple's founders, said that a lot of hacking is playing with other people, you know, getting them to do strange things, and that's exactly what enumeration does for us. Enumerating is a core part of evaluating any target. An enumeration can be as simple as running a reverse DNS lookup on an IP address, or as complex as the entire OSINT process being run on a target. Enumerating a target is one of the most important steps in penetration testing. The goal of performing enumeration on a network is to gather as much information about the ...