https://DevOpsCloud.io -- Cloud Monk Losang Jinpa

Return to CEH Certified Ethical Hacker Cert Guide, Security, DevOps Security]] - Security SRE - CI/CD Security, Cloud Native Security - Microservices Security - Serverless Security, DevSecOps, Parallel Programming and Security, Concurrency and Security, Database Security, Data Science Security, Machine Learning Security, Cybersecurity Bibliography, Cybersecurity [[Courses]], Cybersecurity Glossary, Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity [[Topics]]

Fair Use Source: B09M86B259 (CEHsntos 2022)

Index A ACL (access control lists), 513–514

active fingerprinting, 142–144

active sniffing, 314, 316

activity profiling, 350

AD (Active Directory), 166

ad-hoc WLANs, 462

AdMutate, 510

ADS (alternate data streams), 217–218

AES (Advanced Encryption Standard), 548, 550

Agile, 594–595

AI (artificial intelligence), viruses and, 250–251

aircrack-ng, 469

airmon-ng tool, 469

airodump-ng tool, 469–470

AirSnare, 486–487

AirSnort, 484

AirTraf, 484

Aitel, D., 394

ALE (annualized loss expectancy), 13–14

algorithms, 544

encryption, 545–546

hashing, 571–572

Anderson, J., 495

Android, 451–453

applications, 454

Device Administration API, 453–454

malware, 455

rooting, 455

antivirus, 250, 283, 285

activity blockers, 285

heuristic scanning, 283–284

integrity checking, 284

signature scanning, 283

APIs (application programming interfaces), 281, 391

Device Administration, 453–455

documentation, 390–391

fuzzing, 391–392

securing, 392

application layer, session hijacking, 334

browser-based on-path attacks, 337

client-side attacks, 335–337

on-path attacks, 335–350

predictable session Token ID, 334–335

session fixation attacks, 338

session replay attacks, 338

session sniffing, 334

application-level attacks, 345–346

applications

Android, 454–455

containers, 598–600

exploits, 200

Java, 202

StickyKeys, 200–201

ports, 62–63

testing, 24

vulnerabilities, 11

web, 362, 368–369

APTs (advanced persistent threats), 248

architecture, Windows, 164–165

ARIN (American Registry for Internet Numbers), 106

ARO (annual rate of occurrence), 13–14

ARP (Address Resolution Protocol), 59, 78, 316–317

messages, 317

poisoning, 317–318

spoofing, 320

arp -a command, 318

Arpwatch, 330

assets, 9

asymmetric encryption, 544, 546, 551–552

Diffie-Hellman, 552–553

ECC (Elliptic-Curve Cryptography), 553

ElGamal, 553

RSA, 552

attacks

Bluejacking, 459

Bluesnarfing, 460

brute-force, 206

bump, 452

client-side, 335–337

cloning, 449

cloud computing, 592–593

cookie manipulation, 385

crypographic, 558–560

CSRF (cross-site request forgery), 408–409

cybercrime and, 31–32

cyberterrorism, 21

DDoS (distributed denial-of-service), 10, 347–348

deauthentication, 468–471

dictionary, 206

directory traversal, 382–384

disgruntled employees and, 21

DOM-based XSS, 404–405

DoS (denial-of-service), 10, 311, 341–343, 380

application-level, 345–346

countermeasures, 350–352

ICMP, 344–345

peer-to-peer, 345

permanent, 346–347

SYN flood, 344

volumetric, 343–344

evil twin, 468

fragmentation, 480–482

HTTP response splitting, 385

inference, 558–559

IV (initialization vector), 472–473

jamming, 472

KARMA, 481

KRACK (Key Reinstallation AttaCK), 479

obfuscated, 499–500

overlapping fragmentation, 72

parameter tampering, 393, 399

on-path, 318, 335–350, 384

phishing, 20–21

phreakers and, 20

poison apple, 258

preferred network, 472

reflected XSS, 401–402

RFID (radio frequency identification), 461

rogue APs, 467

rubber hose, 560

script kiddies and, 20–21

session fixation, 338

shellcode, 508

social engineering

malvertising, 236–237

motivation techniques, 247

pharming, 235–236

phishing, 235

pretexting, 246–247

shoulder surfing, 248

SMS phishing, 245

spear phishing, 237–244

USB baiting, 248

vishing, 245

whaling, 245–246

software crackers/hackers and, 21

starvation, 321

stolen equipment, 24

stored XSS, 402–404

SYN flood, 611

system crackers/hackers and, 21

tumbling, 449

unvalidated input, 398–399

watering-hole, 52, 202, 260

web, 373

website defacement, 384

WEP (Wired Equivalent Privacy), 472–474

WPA (Wi-Fi Protected Access), 476–478

against WPA3, 479–480

attribute command, 217

authentication, 411–412, 543–544

certificate-based, 412

forms-based, 412

Kerberos, 198, 205

MD5, 412

multifactor, 196

Windows, 203–205

wireless, 485–486

automated exploit tools, 393–395

availability, 8

AWS Lambda, 598

B backdoors, 54, 257–258, 416

backups, 11–12

banner grabbing, 519–520

using curl, 145–146

using Netcat, 147

using telnet, 146–147

using whatweb, 148

Base64, 562

BeEF (Browser Exploitation Framework), 394

BinText, 287

biometrics, 196–197

black box testing, 14–15

black hat hackers, 19

Blackberry, 457

BLE (Bluetooth Low Energy), 604

block cipher, 549

Bluesnarfing, 460

Bluetooth

Bluejacking, 459

Bluesnarfing, 460

classifications, 458

versions, 458–459

bogons, 513

botnets, 606–607

countermeasures, 609–611

crimeware, 608

fast flux, 607

financial-based, 608

installation, 609

Brain virus, 252

brute-force attacks, 206, 414

Brutus, 563

buffer overflows, 201–202, 501

bump attacks, 452

Burger, Ralf, 252

Burneye, 264

Burp Proxy, 417

Burp Suite, 414

BYOD (bring your own device), 444, 452–453

C Caesar’s cipher, 545

Caffrey, A., 261

Cain and Abel, 484

Canvas, 394

CartoReso, 150

cell phones, 450–451. See also mobile devices

cloning, 449

forensics, 452

tumbling, 449

CER (crossover error rate), 196

certificate-based authentication, 412

chosen plaintext attack, 559

CIA (confidentiality, integrity, and availability) triad, 8–9, 14

availability, 8

confidentiality, 8, 25, 543

integrity, 8, 544

CI/CD (continuous integration/delivery) pipelines, 596–597

Build stage, 597

Deploy stage, 597

Test stage, 597

cipher-text only attack, 559

circuit gateways, 515

Cisco Smart Install abuse, 524–526

Clark, Z., 19

clearing, log files, 214

clickjacking, 409

client-side attacks, 335–337

cloning, 449

closed port scanning, 129–131

cloud computing, 588–589, 591

access control, 590

attacks, 592–593

auditing, 590

CI/CD, 596–597

deployment models, 588–589

encryption and, 591

regulatory requirements, 590

security, 593

serverless computing, 598

training and, 590

cluster viruses, 250

code of ethics, 31

Code Red worm, 253

code signing, 393, 421

collision domain, 315–316

commands

arp -a, 318

attribute, 217

hping2, 510

Linux, 211

expn, 184

locate, 170–171

rpcinfo -p, 183

showmount command, 184–185

tcpdump, 367–368

vrfy, 184

net use, 196–197

netstat, 280–281

no vstack, 524

ntpq -pn, 186

passwd encryption, 526

service rsyslog stop, 213

smtp-user-enum, 190

snmp-user-enum, 189–190

VRFY, 188–189

Windows, net, 168

company directories, footprinting and, 104

compliance

PCI-DSS (Payment Card Industry Data Security Standard), 36

regulations and, 34–36

Conficker worm, 254

confidentiality, 8, 25

disclosure and, 10

encryption and, 543

containers, 598–599

Docker, 599

images, 600

registries, 599

scanning, 600–601

cookie(s), 414–415

manipulation attacks, 385

UID value, 415

Core Impact, 394–395

countermeasures

botnet, 609–611

DDoS/DoS attacks, 350–352

enumeration, 192–193

footprinting, 122

malware, 279–280

Poodlebleed, 560

sniffing, 328–330

spoofing, 328–330

covering tracks, 20, 54, 213–214

covert communication, 268–269

port redirection, 274–276

tunneling

ICMP, 270–272

IPv6, 269–270

TCP, 272–273

UDP, 273

via the application layer, 273–274

coWPAtty, 484

cracker(s), 19, 21

crimeware, 608–609

cross-site scripting, 400–401

crypters, 265–267

cryptography, 8, 543. See also encryption; steganography

ATBASH, 545

Caesar’s cipher, 545

CryptoTool, 563

CSMA/CA (carrier-sense multiple access with collision avoidance), 463

CSRF (cross-site request forgery), 408–409

CVSS (Common Vulnerability Scoring System), 292–295

CWE (Common Weakness Enumeration), 388

cyber kill chain, 18, 257

cyberattacks, 10

cybercrime, 31–32

cyberterrorism, 21

D databases, 24

hacking, 421–422

SQL, 422–423

Datapipe, 276

DDoS (distributed denial-of-service) attacks, 10, 32, 347–348, 380

countermeasures, 350–352

tools, 348–350

deauthentication attacks, 468–471

deny all, 52, 78–79

DES (Data Encryption Standard), 548–550, 560

detecting

malware, 280–283, 286

sniffers, 329

Device Administration API, 453–455

DevOps, 593, 595–596

DHCP (Dynamic Host Configuration Protocol), 64

redirect attack, 321–322

snooping, 322–323

dictionary attacks, 206

differential backups, 12

Diffie-Hellman, 552–553

digital certificate, 553–554, 557

PKI (public key infrastructure), 554–555

digital signature, 573

digital watermark, 571

directory traversal, 382–384

disaster recovery, 4, 591

disclosure, 10

disgruntled employees, 21

disk encryption, 557

DLL injection, 200

DNS (Domain Name System), 64–65

enumeration, 191–192

footprinting, 112–118

dig and, 117

Nslookup and, 116

records and types, 113

Security Extensions, 328–329

server hijacking, 380–382

SOA (Start of Authority) record, 113

spoofing, 323

zone files, 65

zone transfers, 112–116, 118

DNSSEC (Domain Name System Security Extensions), 65

Docker, 599

documentation, API, 390–391

domain proxy, 111

DOM-based XSS attacks, 404–405

DoS (denial-of-service) attacks, 10, 24, 311, 341–343, 380

application-level, 345–346

countermeasures, 350–352

ICMP, 344–345

peer-to-peer, 345

permanent, 346–347

SYN flood, 344

volumetric, 343–344

down-level software, 51–52

droppers, 265, 278

DSSS (direct-sequence spread spectrum), 464

dynamic analysis, 288–290

E EAP (Extensible Authentication Protocol), 485–486

eavesdropping, 449

ECC (Elliptic-Curve Cryptography), 553

EC-council approach to incident response, 17–18, 93, 151, 218–219

EDGAR database, 105–106

EF (exposure factor), 13–14

egress filtering, 352–353

ElGamal, 553

ELSave, 214

email. See also SMTP (Simple Mail Transfer Protocol)

encryption, 557

footprinting, 104, 106–107

phishing, 235

spear phishing, 237–244

Trojans and, 259

Emotet, 254

encryption, 411–412, 543

algorithms, 545–546

asymmetric, 544, 546, 551–552

Diffie-Hellman, 552–553

ECC (Elliptic-Curve Cryptography), 553

ElGamal, 553

RSA, 552

confidentiality and, 543

cracking, 484, 563

digital certificates, 553–554

email and disk, 557

nonrepudiation and, 544

processing power and, 563

public key, 553

symmetric, 544, 546–547

AES (Advanced Encryption Standard), 550

DES (Data Encryption Standard), 548–550, 560

disadvantages of, 547–548

Rivest Cipher, 551

shared keys, 547

weak, 561

Base64, 562

Uuencode, 562

XOR (exclusive ORing), 561

England, hacking laws, 33

ensapsulation, 61

enum4linux, 173–176

enumeration, 20, 51–52, 160, 164

countermeasures, 192–193

DNS (Domain Name System), 191–192

firewalls

banner grabbing, 519–520

firewalking, 518–519

hping, 517–518

port scanning, 517

traceroute and, 517

Linux/UNIX, 183–185

NetBIOS

enum4linux and, 173–176

Hyena and, 177

locate command, 170–171

nbname and, 176–177

nbtscan and, 170

Nmap and, 172–173

NTP, 185–186

SMTP

commands, 188–190

TCP ports, 187

SMTP (Simple Mail Transfer Protocol), 186–190

SNMP (Simple Network Monitoring Protocol), 177–183

NSE (Nmap Scripting Engine), 179

snmp-check tool, 179–183

web server

Netcat, 376–377

Telnet, 375–376

WhatWeb, 375

websites

Httprint, 378–379

NSE scripts, 377

Windows, 164

LDAP, 167–169

NetBIOS, 167–169

RIDs (relative identifiers), 166

SIDs (security identifiers), 165–166

error handling, 389

ethical hacking, 19, 31, 34

code of ethics, 31

compliance regulations, 34–36

methodology, 54–55

modes of, 23–24

pen testing, 21–22

reasons for, 26–27

report, 29–30

required skills, 22–23

rules of, 24–25

scope of engagement, 25–26

test phases

establishing goals, 28–29

getting approval, 29

report, 29–30

Z. Clark and, 19

Ettercap, 320

European Union, privacy laws, 107

Evan’s Debugger, 286

evil twin attack, 468

exploits, 12, 296

application, 200

buffer overflow, 201–202

JAD file, 457

Java, 202

PewDiePie printer hack, 13

SQL injection

Boolean technique, 431–432

out-of-band technique, 432–433

union operator, 430–431

zero-day, 12

expn command, 184

expoit-db.com, 51–52

external

assessments, 290

pen testing, 23

F FAR (false acceptance rate), 196

fast flux botnet, 607

fast infection viruses, 250

FHSS (frequency-hopping spread spectrum), 464

finger, 183

fingerprinting, 141

active, 142–144

finding open services, 145–148

operating systems, 141

passive, 141

services, 145

SQL, 430

firewalking, 518–519

firewalls, 491, 511, 519–520

application gateways, 515

bypassing, 520–524

application layer tunneling, 521–522

Internet layer protocols, 520–521

TFTP (Trivial File Transfer Protocol), 523–524

transport layer protocols, 521

circuit gateways, 515

identifying, 516

banner grabbing, 519–520

firewalking, 518–519

hping, 517–518

port scanning, 517

traceroute and, 517

NAT (Network Address Translation), 512–513

packet filters, 513–514

stateful inspection, 515–516

types of, 512

Flame, 250

fog computing, 602, 603

footprinting, 20, 93. See also scanning

countermeasures, 122

DNS, 112–118

dig and, 117

zone transfers, 113–116

documentation and, 95

email, 106–107

methodology, 93–95

NDP (Network Discovery Protocol), 116

network, 118

subnetting and, 119–120

traceroute, 120–121

through search engines, 96–101

Google search terms, 96–97

Shodan, 100–101

through social engineering, 121

through social networking sites, 101–102

through web service]]s and websites, 103–106

company directories, 104

EDGAR database, 105–106

email, 104

job posting boards, 104–105

location information, 104

Wayback Machine, 104

Whois, 108–111

forensics, 352, 452

forms-based authentication, 412

FPipe, 276

fragAttacks, 480

fragmentation, 70–72, 481–482

freeware, 260

FRR (false rejection rate), 196

FTP (File Transfer Protocol), 63–64

full backups, 12

full-knowledge testing, 15

fuzzing, 391–392, 421

G gaining access, 565

GDPR (General Data Protection Regulation), 26

geolocation, 451

Gilmore, J., 560

GitHub, 135

GLBA (Gramm-Leach-Bliley Act), 26

Google, 96, 453

Hacking Database, 98–99

search terms, 96–97

GPS mapping, 483

crack and compromise the Wi-Fi network, 484

launch wireless attack, 483–484

wireless traffic analysis, 483

gray box testing, 15

gray hat hackers, 19

Green, J., 261

H TheHackerGiraffe, 13

hacking, 10, 19, 21

black hat, 19

gray hat, 19

hacktivists, 32

IoT (Internet of Things), 606

laws

evolution of, 33–34

US federal, 32–34

methodology, 20. See also covering tracks; enumeration; footprinting; maintaining access; privilege escalation; scanning

covering tracks, 54

escalating privilege, 53

gaining access, 52–53

maintaining access, 53

reconnaissance and footprinting, 50–51

scanning and enumeration, 51–52

social engineering, 51

suicide, 19

hard-coded credentials, 389

Hashcat, 207–209, 563

hashing, 8, 571–572

heap spraying, 202

Heartbleed, 565

hiding files, 213–214

hierarchical trust, 556

high-level assessment/audit, 16

HIPAA (Health Insurance Portability and Accountability Act), 26

honeypots, 491, 526–528

detecting, 529–530

types of, 528–529

host-based IDS (intrusion detection system), 495

hping, 76, 140, 517–518

hping2 command, 510

HTTP (Hypertext Transfer Protocol), 66, 366–369, 371–373, 414

proxies, 372

reponses, 369

requests, 369

status code messages, 370

URLs and, 370–371

Hyena, 177

I IANA (Internet Assigned Numbers Authority), 106, 108

ICANN (Internet Corporation for Assigned Names and Numbers), 108

ICMP (Internet Control Message Protocol), 69

attacks, 344–345

tunneling, 270–272

type, 3 codes, 73

types and codes, 70–73

IDA Pro, 286

IDS (intrusion detection system), 51–52, 350, 486–487, 490

anomaly detection, 499–502

components, 495

evasion techniques, 509–510

flooding, 507

insertion and evasion, 507

session splicing, 508

shellcode, 508

evasion tools, 510–511

heuristic-based analysis, 500

host-based, 495

network-based, 495–496

pattern matching, 497–500

signatures, 498

stateful, 498

protocol analysis, 500

protocol-decoding, 499

responses, 496, 499

Snort, 502, 510

keywords, 503

rules, 502–505

Squert and, 505

tuning, 496–497

weaknesses, 501

IM (instant messaging), Trojans and, 259

impersonation, 246–247. See also pretexting

incident response, 17–18

incremental backups, 12

inference attack, 558–559

inference-based assessments, 291

information gathering, 23, 50–51, 95. See also footprinting; reconnaissance

InSpy, 102

INSTEON, 605

integrity, 8, 544

internal

assessments, 290

pen testing, 24

IOC (indicator of compromise), 18

iOS, 455–456

IoT (Internet of Things), 449, 601–604

fog computing and, 602–603

hacking, 606

protocols, 604–605

security challenges, 602–603

IP Source Guard, 328–329

IP4/6 69–70

converting addresses to binary, 523

fragmentation, 70–72

private address ranges, 70

tunneling, 269–270

IPC$ (InterProcess Communication), 168

IPS (intrusion prevention system), 490, 502

IPsec, 191, 564

IRC (Internet Relay chat), 259, 607

IV (initialization vector) attacks, 472–473

J JAD (Java Application Descriptor) files, 457

jailbreaking, 452, 455–456

jamming, 472

Java, exploits, 202

job posting boards, 104–105

John the Ripper, 212–213, 563

K Kali Linux, 151

Kanban, 595

KARMA attacks, 481

KerbCrack, 198

Kerberos, 198, 205

keyloggers, 198–199, 276–277

hardware, 277

software, 277–278

keywords, Snort, 509

Kismet, 484, 487

known plaintext attack, 559

Kocher, P., 560

KRACK (Key Reinstallation AttaCK) attacks, 479

Kubernetes, 55

L LAN Turtle, 565

LDAP, enumeration, 167–169

LDM (loadable kernel module), 215

Linux, 151, 382

Arpwatch, 330

commands, 211

expn, 184

rcpinfo -p, 183

showmount, 184–185

tcpdump, 367–368

vrfy, 184

curl, 145–146

enumeration, 183–185

locate command, 170–171

Nmap, 131

passwd file, 210

password cracking, 209–213

rootkits, 214–216

salts, 211–212

Security Onion Distribution, 505–506

traceroute, 74–75

LM (LAN Manger), 203–205

locate command, 170–171

location, information gathering and, 104

log files, 416–417

clearing, 214

syslog service, 523

lookups, Whois, 109

LoRaWAN (Long Range Wide Area Network), 605

LRWPAN (Low Rate Wireless Personal Area Networks), 605

LSASS (Local Security Authority Server Service), 167

M MAC (media access control), 59, 77–78

flooding, 320–321

spoofing, 323

MacOS, privilege escalation, 200

macro viruses, 250

maintaining access, 20, 203

Maltego, 99

malvertising, 236–237

malware, 10, 248. See also virus(es)

analysis, 286

dynamic, 288–290

static, 286–288

countermeasures, 279–280

detecting, 280–283, 286

Emotet, 254

Flame, 250

mobile devices and, 451

transmission methods, 249–251

man-in-the-middle]] attack, 559

mapping, networks, 148–151

MD5, 412

Melissa virus, 253

Meltdown, 199

Mendax, 510

messages

ARP, 317

HTTP, 370

Metasploit, 176–177, 393

methodology

ethical hacking, 54–55

footprinting, 93–95

hacking, 20. See also covering tracks; enumeration; footprinting; maintaining access; privilege escalation; scanning

covering tracks, 54

escalating privilege, 53

gaining access, 52–53

maintaining access, 53

reconnaissance and footprinting, 50–51

scanning and enumeration, 51–52

information security systems and the stack, 57

MITRE ATT&CK framework, 218–219

NIST SP, 800–115 56

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 56

OSI model and, 57–60

OSSTMM (Open-Source Security Testing Methodology Manual), 56–57

software development

Agile, 594–595

DevOps, 595–596

waterfall, 594

MFA (multifactor authentication), 196

MFP (Management Frame Protection), 471

Microsoft, 19

Mimikatz, 197–198

misconfiguration, web server, 384–385

misuse direction, 486–487

MITRE ATT&CK framework, 18, 51, 94–95, 218–219

mobile devices, 449. See also wireless communication

Android, 451–455

Blackberry, 457

bump attacks, 452

data exfiltration, 451

eavesdropping, 449

geolocation, 451

iOS, 455–456

jailbreaking, 452, 456

malware, 451

platforms, 452–453

security controls, 457

tumbling, 449

Windows Mobile Operating System, 456

Mognet, 482–483

money mule, 609

Moore's Law, 548

Morris, R., 253

moving laterally, 20

MP3Stego, 568

multipartite viruses, 250

N NAT (Network Address Translation), 512–513

nbname, 176–177

nbtscan, 170

NDA (nondisclosure agreement), 25

NDP (Network Discovery Protocol), 69–70

Nessus, 511

net commands, 168

net use command, 196–197

NetBIOS, enumeration, 167–169

enum4linux and, 173–176

Hyena and, 177

locate command, 170–171

nbname and, 176–177

nbtscan and, 170

Nmap and, 172–173

tools, 169–177

Netcat, 275

banner grabbing, 147

web server enumeration, 376–377

netstat, 280–281

NetStumbler, 482

network

evaluation, 17

footprinting, 118

subnetting and, 119–120

traceroute, 120–121

mapping, 148–151

network-based IDS (intrusion detection system), 495

detection methodologies, 496

protocol analysis, 500

NFS (Network File System), 184

NIDSbench, 511

Nikto, 148

Nimda worm, 253–254, 383

NIST (National Institute of Standards and Technology), 548

SP 800–31, 56

SP 800–145, 588

NLog, 150

Nmap, 131–139, 384

active fingerprinting, 143–144

decoy switch, 135

NetBIOS enumeration, 172–173

NSE scripts, 135–136, 314–315

performing a three-step connection, 136–137

switches, 131–134

no vstack command, 524

no-knowledge testing, 14–15

nonrepudiation, 544

nontechnical password attacks, 193–194

NSE (Nmap Scripting Engine), 135–136, 179, 377

Nslookup, 112–113, 116

NTLM, 203–205

NTP (Network Time Protocol), enumeration, 185–186

ntpq -pn command, 186

O OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 56

OFDM (orthogonal frequency-division multiplexing), 464

OllyDbg, 287

Omnipeek, 483

open services, finding, 145–148

open-source tools, FOCA, 99

OpenVAS, 52

operating systems

fingerprinting, 141

vulnerabilities, 11

Ophcrack, 209

OSA (Open System Authentication), 478–479

OSI model, 57–60

application layer, 58

data-link layer, 59

network layer, 59

physical layer, 59–60

presentation layer, 58

session layer, 58

transport layer, 58–59

OSSTMM (Open-Source Security Testing Methodology Manual), 56–57

overlapping fragmentation attack, 72

OWASP, 389, 392, 406

Clickjacking Defense Cheat Sheet, 409

Cross-Site Scripting Prevention Cheat Sheet, 406–407

owning the box, 203

P packers, 265

packet filters, 513–514

packetforge-ng tool, 481–482

partial-knowledge testing, 15

pass the hash, 197–198

passive fingerprinting, 141

passive sniffing, 315–316

passwd encryption command, 526

passwd file, 210

password

attacks

nontechnical, 193–194

technical, 194–195

cracking

Linux, 209–213

web application, 412–413

web server, 386

Windows, 205–209

guessing, 195–197

salts, 211–212

sniffing, 197–198

patch management, 351, 395

on-path attacks, 318, 335–350, 384

PCI-DSS (Payment Card Industry Data Security Standard), 36

peer-to-peer attacks, 345

pen testing, 2, 17, 21–22

external, 23

internal, 24

report

confidentiality and, 30

sections, 30

permanent DoS attacks, 346–347

pharming, 235–236

phishing, 20–21, 235, 237–244. See also spear phishing

phreakers, 20

physical security testing, 24

Piessens, M., 479

ping, 123–124

PKI (public key infrastructure), 554–555

poison apple attack, 258

policies, 17

Poodlebleed, 560

port(s), 62–63, 67–68

knocking, 140

redirection, 274–276

scanning, 124–131, 191, 517

closed, 129–131

open, 128–129

TCP, 126–127

tools, 131–140

UDP, 131, 137

security, 328–329

spanning, 314

TCP, 125, 167, 187

Trojans and, 257–258

PPTP (Point-to-Point Tunneling Protocol), 564

pre-attack phase, 150

preparing for the exam, 620–621

pretexting, 246–247

principle of least privilege, 63

privilege escalation, 53, 199–200, 202

DLL injection, 200

MacOS and, 200

processes, Trojans and, 280

programming, buffer overflows, 201–202, 410–411

protocol-decoding IDS (intrusion detection system), 499

protocols

enumeration techniques, 191

IoT (Internet of Things), 604–605

security, 563–565

stateless, 366

public key encryption, 553

PWdump, 205–206

Q qualitative risk assesment, 13

quantitative risk assesssment, 13–14

R race credentials, 389–390

ransomware, 254, 267–268

RATs, 261–263

Reaver, 481

reconnaissance, 20, 50, 51. See also footprinting

red teaming, 17

reflected XSS attacks, 401–402

regulations, compliance and, 34–36

residual risk, 9

RFC (request for comments)

2613, 314

2827, 351

3704, 351

RFID (radio frequency identification) attacks, 461

RIDs (relative identifiers), 166

Rijndael, 550

rings of protection, 164

RIRs (Regional Internet Registries), 108

risk, 9

assessment, 13–14

qualitative, 13–14

assets, 9

backups and, 11–12

IOC (indicator of compromise), 18

residual, 9

threats, 9–10, 18

vulnerabilities, 11

Rivest Cipher, 551

RMF (Risk Management Framework), 9

Robin Sage, 102

rogue APs, 467

evil twin attack, 468

KARMA attacks, 481

Ronen, E., 480

rooting, 455

rootkits, 2, 53, 214–216

RSA, 552

rubber hose attack, 560

rules, of ethical hacking, 24–25

Ryan, T., 102

S salts, 211–212

SAM (Security Account Manager), 166, 203

sandbox, 287, 452, 454

Sasser worm, 254

scanning, 20, 51–52. See also port scanning

application-level, 420–421

for competitive intelligence, 102

containers, 600–601

host discovery, 123–124

open port idle, 128–129

port and service discovery, 124–131

vulnerability, 296–297

web server, 374

zombie, 128

script kiddies, 20–21

scripts

client-side attacks and, 336–337

NSE (Nmap Scripting Engine) 135–136, 179, 377

Scrum, 595

search engines, 96–101

Google, search terms, 96–97

security. See also risk

CIA (confidentiality, integrity, and availability) triad, 8–9

availability, 8

confidentiality, 8

integrity, 8

cloud computing, 593

goals of, 8–9

policies, 17

protocols, 563–565

testing, 14. See also ethical hacking

full-knowledge, 15

high-level assessment/audit, 16

network evaluation, 17

no-knowledge, 14–15

partial-knowledge, 15

pen test, 17

physical, 24

types of, 15–17

usability and, 7

Windows, 166–167

Security and Exchange Commission, EDGAR database, 105–106

serverless computing, 598

AWS Lambda, 598

service rsyslog stop command, 213

services

fingerprinting, 145

open, finding, 145–148

session fixation attacks, 338

session hijacking, 58, 311, 330

application layer, 334

browser-based on-path attacks, 337

client-side attacks, 335–337

on-path attacks, 335–350

predictable session Token ID, 334–335

session fixation attacks, 338

session replay attacks, 338

session sniffing, 334

preventing, 341

tools, 338–340

transport layer, 330–333

identify and find an active session, 331

predict the sequence number, 332–333

take control of the session, 333

take one of the parties offline, 333

session replay attacks, 338

shared keys, 547

shellcode attacks, 508

Shellshock, 97

Shodan, 100–101

shoulder surfing, 248

showmount command, 184–185

side-channel attack, 559

SIDs (security identifiers), 165–166

single-authority trust, 556

site rippers, 378

site survey, 485

SLA (service-level agreement), 591

Slammer worm, 254

SLE (single loss expectancy), 13–14

SMAC, 323

SmartWhois, 109

SMS phishing, 245

SMTP (Simple Mail Transfer Protocol), 64

enumeration, 186–190

commands, 188–190

TCP ports, 187

open relay, 187–188

smtp-user-enum command, 190

sniffers, 314–315, 328

active, 314, 316

countermeasures, 328–330

detecting, 329

filters, 326–327

passive, 315–316

password, 197–198

session, 334

Wireshark, 61, 324–328, 368

SNMP (Simple Network Monitoring Protocol), 64

enumeration, 177–183

NSE (Nmap Scripting Engine), 179

snmp-check tool, 179–183

snmp-check tool, 179–183

snmp-user-enum command, 189–190

Snort, 502, 510

keywords, 503, 509

rules, 502–505

Squert and, 505

Snow, 568

social engineering, 24, 51, 228, 234–235

footprinting and, 121

malvertising, 236–237

motivation techniques, 247

pharming, 235–236

phishing, 235

pretexting, 246–247

shoulder surfing, 248

SMS phishing, 245

spear phishing, 237–244

USB baiting, 248

vishing, 245

whaling, 245–246

social networks

dangers of, 102

footprinting and, 101–102

software, 11

code signing, 421

down-level, 51–52

software development

Agile, 594–595

CI/CD (continuous integration/delivery) pipelines, 596–597

DevOps, 595–596

Scrum and, 595

waterfall methodology, 594

SolarWinds supply chain attack, 257

source code, commenting, 388

source routing, 74

SOX (Sarbanes-Oxley), 26

Spam Mimic, 569

spanning, 314

spear phishing, 237–244

Spectre, 199

spoofing, 74, 330, 543–544

ARP, 320

cell tower, 452

countermeasures, 328–330

DNS, 323–324

MAC, 323

spread-spectrum technology, 464

spyware, 229, 249, 278–279

SQL

exploits

Boolean technique, 431–432

out-of-band technique, 432–433

union operator, 430–431

fingerprinting, 430

injection, 425–429

hacking tools, 435–436

mitigations, 434–435

stored procedure, 434

time-delay, 433–434

statements, 422–425

Squert, 505

SSH (Secure Shell), 564

SSID (service set identifier), 469

SSL (Secure Sockets Layer), 564–565

starvation attack, 321

stateful inspection firewalls, 515–516

static analysis, 286–288

steganalysis, 571

steganography, 566

bitmaps and, 567

carriers, 566–567

digital watermarks, 571

filtering, 567

laser printers and, 570

masking, 567

sound files, 567

tools, 568–570

transformation, 567

types of, 566

StickyKeys, 200

Stingray device, 452

stolen equipment attack, 24

stored XSS attacks, 402–404

Storm bot/worm, 254

subnetting, 119–120

suicide hackers, 19

SuperScan, 139

symmetric encryption, 544, 546–547

AES (Advanced Encryption Standard), 550

DES (Data Encryption Standard), 548–550, 560

disadvantages of, 547–548

Rivest Cipher, 551

shared keys, 547

SYN flood attacks, 344, 611

syslog service, 523

system cracking/hacking, 21, 160, 193

automated password guessing, 197

keylogging, 198–199

nontechnical password attacks, 193–194

password guessing, 195–197

password sniffing, 197–198

privilege escalation, 199–200

technical password attacks, 194–195

T TCP (Transmission Control Protocol), 66–67

flags, 66–68, 126

ports, 67–68, 125, 167, 187

three-way handshake, 125–126

tunneling, 272–273

tcpdump command, 367–368

TCP/IP (Transmission Control Protocol/Internet Protocol), 60–61

application layer, 62–66

Internet layer, 69–73

network access layer, 77–78

port-scanning techniques, 126–127

transport layer, 66–68

TCSEC (Trusted Computer System Evaluation Criteria), 268

technical password attacks, 194–195

Telnet, 64, 146–147

banner grabbing, 519–520

web server enumeration, 375–376

TFTP (Trivial File Transfer Protocol), 66, 523–524

THC-Amap, 139–140

THC-Hydra, 563

THC-Wardrive, 483

threats, 9–10, 18

throttling, 350

Tini, 261

TOE (target of evaluation), 14

too, Snort, rules, 504–505

tools, 30, 68. See also commands

AdMutate, 510

aircrack-ng, 469

airmon-ng, 469

airodump-ng, 469–470

AirSnare, 486–487

AirSnort, 484

AirTraf, 484

automated exploit, 393–395

BeEF (Browser Exploitation Framework), 394

Brutus, 563

Burp Proxy, 417

Burp Suite, 414

Cain and Abel, 484

Canvas, 394

CartoReso, 150

Core Impact, 394–395

coWPAtty, 484

CryptoTool, 563

curl, 145–146

Datapipe, 276

DDoS, 348–350

ELSave, 214

enum4linux, 173–176

Ettercap, 320

finger, 183

FPipe, 276

Google Hacking Database, 98–99

Hashcat, 207–209, 563

hping, 76, 140, 517–518

IDS (intrusion detection system)

evasion techniques, 509–510

flooding and, 507

insertion and evasion, 507

session splicing, 508

shellcode attacks and, 508

InSpy, 102

John the Ripper, 212–213, 563

KerbCrack, 198

Kismet, 484, 487

Maltego, 99

Meltdown, 199

Mendax, 510

Metasploit, 393

nbname, 176–177

Mimikatz, 197–198

nbtscan, 170

Nessus, 511

Netcat, 147, 275

web server enumeration, 376–377

NIDSbench, 511

Nikto, 148

NLog, 150

Nmap, 131–139, 384

decoy switch, 135

NSE scripts, 135–136

performing a three-step connection, 136–137

Nslookup, 112–113, 116

open-source, FOCA, 99

Ophcrack, 209

packetforge-ng, 481–482

password cracking, 413–414

ping, 123–124

PWdump, 205–206

RATs, 261–263

rcpinfo -p, 183

Reaver, 481

rootkits, 214–216

session hijacking, 338–340

Shodan, 100–101

site rippers, 378

SMAC, 323

SmartWhois, 109

sniffers, 328

countermeasures, 328–330

filters, 326–327

Wireshark, 61, 281–282, 324–328, 368

snmp-check, 179–183

Snort, 502, 510

keywords, 503, 509

rules, 502–503

Squert and, 505

Spectre, 199

SQL injection hacking, 435–436

static analysis, 286–288

steganographic, 567–570

SuperScan, 139

telnet, 146–147

THC-Amap, 139–140

THC-Hydra, 563

Tini, 261

traceroute, 74–76, 120–121, 149, 517

web proxies, 417–419

“What’s that site running?”, 103

WhatWeb, 375

whatweb, 148

Whois, 108–111

wireless hacking, 482–483

traceback, 610–611

traceroute, 74–76, 120–121, 149, 517

transport layer

session hijacking

identify and find an active session, 331

predict the sequence number, 332–333

take control of the session, 333

take one of the parties offline, 333

trapdoor functions, 551–552

tree-based assessments, 291

Triludan the Warrior, 33

Trojans, 255–256

banking, 608

distributing, 263–264

crypters, 265–267

droppers, 265

packers, 265

wrappers, 264–265

effects of, 260–261

goals of, 258–259

infection mechanisms, 259–260

ports and communication methods, 257–258

processes and, 280

tools

RATs, 261–263

Tini, 261

types of, 256–257

trust, 555

hierarchical, 556

single-authority, 556

web of, 557

TTL (Time To Live), 74–76

TTPs (tactics, techniques, and procedures), 18

tumbling, 449

tunneling

ICMP, 270–272

IPv6, 269–270

TCP, 272–273

UDP, 273

via the application layer, 273–274

U UDP (User Datagram Protocol), 68

port scanning, 131, 137

tunneling, 273

Unicode, 383–384

United States

Computer Fraud and Abuse Act (1984), 33–34

Cyber Security Enhancement Act (2002), 34

Economic Espionage Act (1996), 34

Electronic Communications Privacy Act, 33

Federal Information and Security Management Act (FISMA, 2002), 34

Federal Sentencing Guidelines of 1991, 34

hacking laws, 32, 449–450

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, 34

UNIX, enumeration, 183–185

UPX, 287

URLs, 103, 370–371, 523

encoding, 382–383

obfuscation, 415–417

USB baiting, 248, 258

Uuencode, 562

V Vanhoef, M., 479–480

Virdem, 252

virus(es), 10, 248–249

AI and, 250–251

anti-detection routine, 251

Brain, 252

cluster, 250

creation tools, 255

fast infection, 250

history of, 252–253

infection routine, 251

macro, 250

multipartite, 250

payloads, 251–252

propagation, 253–255

search routine, 251

transmission methods, 249–251

trigger routine, 251

vishing, 245

VM (virtual machine), 288

VoIP (Voice over IP), 191

volumetric attacks, 343–344

VRFY command, 188–189

vrfy command, 184

vulnerability(ies), 11, 145–146

analysis, 290

external vs. internal assessments, 290–291

passive vs. active assessmetns, 290

solutions, 291

tree-based vs. inference-based assessments, 291–292

exploits and, 296

keeping up to date, 30–31

scanners, 52, 296–297

Nikto, 148

scoring systems, 292

CVSS (Common Vulnerability Scoring System), 292–295

web application, cross-site scripting, 400–401

web server, 379, 386–388

comments in source code, 388

error handling, 389

hard-coded credentials, 389

race credentials, 389–390

unprotected APIs, 390–392

W WannaCry, 267

war driving, 472

waterfall methodology, 594

watering-hole attack, 52, 202, 260

WaveStumbler, 483

Wayback Machine, 104

weak encryption, 561

Base64, 562

Uuencode, 562

XOR (exclusive ORing), 561

web applications

attacking, 398, 410–411

DOM-based XSS attacks, 404–405

parameter tampering, 399

reflected XSS attacks, 401–402

stored XSS attacks, 402–404

unvalidated input, 398–399

buffer overflows, 410–411

clickjacking, 409

cookies, 414–415

cross-site scripting, 400–401

CSRF attacks, 408–409

injection flaws, 399–400

OWASP Cross-Site Scripting Prevention Cheat Sheet, 406–407

password cracking, 412–413

securing, 419–421

URL obfuscation, 415–417

XSS evasion techniques, 405–406

web browsers, 368–369

code signing, 393

on-path attacks, 337

Trojans and, 259–260

web of trust, 557

web proxies, 417–419

web servers, 366

attacking, 380

automated exploit tools, 393–395

directory traversal, 382–384

DNS server hijacking and amplification attacks, 380–382

DoS/DDoS attacks, 380

hidden element tampering, 393

HTTP response splitting, 385

on-path attacks, 384

disable unwanted services, 396

enumeration

Netcat, 376–377

Telnet, 375–376

WhatWeb, 375

file system, 396

hardening, 395

logging and, 396

misconfiguration, 384–385

password cracking, 386

patch management, 395

scanning, 374

vulnerabilities, 386–388

comments in source code, 388

error handling, 389

hard-coded credentials, 389

race credentials, 389–390

unprotected APIs, 390–392

vulnerability identification, 379

vulnerability scanning, 397–398

WebGoat, 425

websites

data aggregation broker]]age, 106–107

defacement, 384

enumeration

Httprint, 378–379

NSE scripts, 377

expoit-db.com, 51–52

financial information, 106

footprinting and, 103–106

GitHub, 135

Google Hacking Database, 98–99

keeping up with current vulnerabilities, 30–31

w3schools.com, 370, 423

Wayback Machine, 104

Zabasearch, 107

WebSploit, 151

WEP (Wired Equivalent Privacy), 445, 464–466

attacking, 472–474

XORing, 465

whaling, 245–246

WhatWeb, 375

whatweb, banner grabbing, 148

white box testing, 15

Whois, 108–111

Wi-Fi, 461–462

IoT and, 605

Windows. See also NetBIOS

AD (Active Directory), 166

architecture, 164–165

authentication, 203–205

enumeration, 164

IPC$ (InterProcess Communication) and, 168

NetBIOS, 167–177

LSASS (Local Security Authority Server Service), 167

Mobile Operating System, 456

net commands, 168

null session, 168–169

password cracking, 205–209

brute-force attacks, 206

dictionary attacks, 206

Hashcat, 207–209

Ophcrack, 209

PWdump, 205–206

tools, 206–207

RIDs (relative identifiers), 166

SAM (Security Account Manager), 166

security, 166–167

SIDs (security identifiers), 165–166

StickyKeys, 200

wireless communication, 24, 444. See also WLANs

authentication, 485–486

Bluetooth, 458, 460

classifications, 458

versions, 458–459

CSMA/CA (carrier-sense multiple access with collision avoidance), 463

hacking tools, 482–483

IDS (intrusion detection system), 486–487

jamming, 472

RFID (radio frequency identification) attacks, 461

spread-spectrum technology, 464

traffic analysis, 483

Wi-Fi, 461–462

WLANs, 462

ad-hoc, 462

hidden node problem, 463

infrastructure, 462–463

RTS (ready to send), 463

standards, 463–464

Wireshark, 61, 281–282, 324–328, 368

WLANs, 462

ad-hoc, 462

attacking the preferred network lists, 472

deauthentication attacks, 468–471

evil twin attacks, 468

fragAttacks, 480

fragmentation attacks, 481–482

infrastructure, 462–463

KRACK (Key Reinstallation AttaCK) attacks, 479

MFP (Management Frame Protection), 471

rogue APs, 467

RTS (ready to send), 463

security

OSA (Open System Authentication), 478–479

WEP (Wired Equivalent Privacy), 464–466

WPA (Wi-Fi Protected Access), 466–467

standards, 463–464

war driving, 472

WPA3, attacks against, 479–480

WPS (Wi-Fi Protected Setup), 481

worms, 253

Code Red, 253

Conficker, 254

Nimda, 253–254, 383

Sasser, 254

Slammer, 254

Storm, 254

WPA (Wi-Fi Protected Access), 445, 466–467

4-way handshake, 475

attacking, 474–478

WPA3, attacks against, 479–480

WPS (Wi-Fi Protected Setup), 480–481

wrappers, 264–265

X.509, 554–555

XMAS tree scan, 68

XOR (exclusive ORing), 411–412, 561

WEP and, 465

Xprobe2, 144

XSS (cross-site scripting), 400–404

DOM-based attacks, 404–405

evasion techniques, 405–406

mitigations, 406–408

preventing, 407–408

Yahoo Boys, 20–21

Yarochkin, F., 131

Zabasearch, 107

zero-day exploit, 12

Zigbee, 604

zombie scan, 128

zone transfers, 112–116, 118

Z-Wave, 604–605

Fair Use Sources:

• CEH Certified Ethical Hacker Cert Guide on DuckDuckGo
• B09M86B259 (CEHsntos 2022)