All-In-One / CEH™ Certified Ethical Hacker All-in-One Exam Guide / Matt Walker / 648-9/ FM ALL IN ONE CEH Certified ™ Ethical Hacker E X A M G U I D E Second Edition 00-FM.indd 1 14/03/14 5:17 PM Infocomm AIO / CTS® Certified Technology Specialist Exam Guide, Second Edition / Grimes / 796-9 / FM ABOUT THE AUTHOR Matt Walker is currently an IT security architect working for Hewlett-Packard on NASA’s desktop support contract. An IT security and education professional for more than 20 years, he has served as the director of the Network Training Center and a curriculum lead/senior instructor for Cisco Networking Academy on Ramstein AB, Germany, and as a network engineer for NASA’s Secure Network Systems (NSS), designing and main- taining secured data, voice, and video networking for the agency. Matt also worked as an instructor supervisor and senior instructor at Dynetics, Inc., in Huntsville, Alabama, providing on-site certification awarding classes for ISC2, Cisco, and CompTIA, and after two years he came right back to NASA as an IT security manager for UNITeS, SAIC, at Marshall Space Flight Center. He has written and contributed to numerous techni- cal training books for NASA, Air Education and Training Command, and the U.S. Air Force, as well as commercially, and he continues to train and write certification and college-level IT and IA security courses. Matt holds numerous commercial certifica- tions, including CEHv7, CPTS, CNDA, CCNA, and MCSE. About the Technical Editor Brad Horton currently works as an information security specialist with the U.S. Depart- ment of Defense. Brad has worked as a security engineer, commercial security consul- tant, penetration tester, and information systems researcher in both the private and public sectors. This has included work with several defense contractors, including General Dynamics C4S, SAIC, and Dynetics, Inc. Brad currently holds the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Information Systems Auditor (CISA), and the recently expired Cisco Certified Network Associate (CCNA) trade certifications. Brad holds a bachelor’s degree in Commerce and Business Administration from the University of Alabama, a master’s degree in Management of Information Systems from the University of Alabama in Huntsville (UAH), and a graduate certificate in Information Assurance from UAH. When not hacking, Brad can be found at home with his family or on a local golf course. The views and opinions expressed in all portions of this publication belong solely to the author and/or editor and do not necessarily state or reflect those of the Department of Defense or the United States Government. References within this publication to any specific commercial product, process, or service by trade name, trademark, manufac- turer, or otherwise, do not necessarily constitute or imply its endorsement, recommen- dation, or favoring by the United States Government. 00-FM.indd 2 14/03/14 3:08 PM All-In-One / CEH™ Certified Ethical Hacker All-in-One Exam Guide / Matt Walker / 648-9/ FM ALL IN ONE CEH Certified ™ Ethical Hacker E X A M G U I D E Second Edition Matt Walker New York • Chicago • San Francisco Athens • London • Madrid • Mexico City Milan • New Delhi • Singapore • Sydney • Toronto McGraw-Hill Education is an independent entity from the International Council of E-Commerce Consultants® (EC-Council) and is not affiliated with EC-Council in any manner. This study/training guide and/or material is not sponsored by, endorsed by, or affiliated with EC-Council in any manner. This publication and CD-ROM may be used in assisting students to prepare for The Certified Ethical Hacker (CEH™) exam. Neither EC-Council nor McGraw-Hill Education warrant that use of this publication and CD-ROM will ensure passing any exam. CEH is a trademark or registered trademark of EC-Council in the United States and certain other countries. All other trademarks are trademarks of their respective owners. 00-FM.indd 3 14/03/14 5:22 PM All-In-One / CEH™ Certified Ethical Hacker All-in-One Exam Guide / Matt Walker / 648-9/ FM Cataloging-in-Publication Data is on file with the Library of Congress McGraw-Hill Education books are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com. CEH™ Certified Ethical Hacker All-in-One Exam Guide, Second Edition Copyright © 2014 by McGraw-Hill Education. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. All trademarks or copyrights mentioned herein are the possession of their respective owners and McGraw-Hill Education makes no claim of ownership by the mention of products that contain these marks. ISBN: Book p/n 978-0-07-183645-6 and CD p/n 978-0-07-183646-3 of set 978-0-07-183648-7 MHID: Book p/n 0-07-183645-4 and CD p/n 0-07-183646-2 of set 0-07-183648-9 Sponsoring Editor Technical Editor Production Supervisor Timothy Green Brad Horton George Anderson Editorial Supervisor Copy Editor Composition Jody McKenzie Kim Wimpsett Cenveo Publisher Services Project Editor Proofreader Illustration Sheena Uprety, Paul Tyler Cenveo Publisher Services Cenveo® Publisher Services Art Director, Cover Indexer Acquisitions Coordinator Jeff Weeks Mary Demery Karin Arrigoni Information has been obtained by McGraw-Hill Education from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. The views and opinions expressed in all portions of this publication belong solely to the author and/or editor and do not necessarily state or reflect those of the Department of Defense or the United States Government. References within this publication to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, do not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. Some glossary terms included in this book may be considered public information as designated by The National Institute of Standards and Technology (NIST). NIST is an agency of the U.S. Department of Commerce. Please visit www.nist.gov for more information. 00-FM.indd 4 14/03/14 3:03 PM All-In-One / CSSLP Certification All-in-One Exam Guide / Conklin /026-1 / FM This book is dedicated to my mother, Helen Ruth Walker. I love her with all my heart. 00-FM.indd 5 10/03/14 5:48 PM All-In-One / CEH™ Certified Ethical Hacker All-in-One Exam Guide / Matt Walker / 648-9/ FM This page is intentionally left blank to match the printed book. 00-FM.indd 6 10/03/14 5:48 PM AAllll--IInn--OOnnee // CCEEHH™™ CCeerrttiififieedd EEtthhiiccaall HHaacckkeerr AAllll--iinn--OOnnee EExxaamm GGuuiiddee // MMaatttt WWaallkkeerr // 664488--99// FFMM CONTENTS AT A GLANCE Chapter 1 Getting Started: Essential Knowledge ........................... 1 Chapter 2 Reconnaissance: Information Gathering for the Ethical Hacker ........................................ 35 Chapter 3 Scanning and Enumeration ...................................... 73 Chapter 4 Sniffing and Evasion ............................................. 117 Chapter 5 Attacking a System ............................................. 155 Chapter 6 Web-Based Hacking: Servers and Applications .................. 199 Chapter 7 Wireless Network Hacking ..................................... 229 Chapter 8 Trojans and Other Attacks ...................................... 263 Chapter 9 Cryptography 101 .............................................. 293 Chapter 10 Low Tech: Social Engineering and Physical Security .............. 321 Chapter 11 The Pen Test: Putting It All Together ............................. 351 Appendix A Tool, Sites, and References ...................................... 367 Appendix B About the CD-ROM ............................................ 383 Glossary ........................................................ 385 Index ........................................................... 415 vii 00-FM.indd 7 10/03/14 5:48 PM AAllll--IInn--OOnnee // CCEEHH™™ CCeerrttiififieedd EEtthhiiccaall HHaacckkeerr AAllll--iinn--OOnnee EExxaamm GGuuiiddee // MMaatttt WWaallkkeerr // 664488--99// FFMM This page is intentionally left blank to match the printed book. 00-FM.indd 8 10/03/14 5:48 PM AAllll--IInn--OOnnee // CCEEHH™™ CCeerrttiififieedd EEtthhiiccaall HHaacckkeerr AAllll--iinn--OOnnee EExxaamm GGuuiiddee // MMaatttt WWaallkkeerr // 664488--99// FFMM CONTENTS Acknowledgments ................................................ xv Introduction ...................................................... xvii Chapter 1 Getting Started: Essential Knowledge ........................... 1 Security 101 ...................................................... 2 Basic Networking ........................................... 2 Security Essentials .......................................... 8 Introduction to Ethical Hacking ................................... 18 Hacking Terminology ....................................... 18 The Ethical Hacker ......................................... 26 Chapter Review ................................................... 28 Questions .................................................. 30 Answers .................................................... 33 Chapter 2 Reconnaissance: Information Gathering for the Ethical Hacker .. 35 Getting Started ................................................... 36 Vulnerability Research ...................................... 37 Footprinting ...................................................... 42 Passive Footprinting ........................................ 43 Active Footprinting ......................................... 47 DNS Footprinting .......................................... 48 Determining Network Range ................................ 58 Google Hacking ............................................. 60 Footprinting Tools .......................................... 65 Chapter Review ................................................... 66 Questions .................................................. 69 Answers .................................................... 71 Chapter 3 Scanning and Enumeration ...................................... 73 Scanning Fundamentals .......................................... 74 Scanning Methodology ..................................... 74 The TCP Handshake ........................................ 75 Identifying Targets .......................................... 84 Port Scanning .............................................. 89 Enumeration ..................................................... 101 Windows System Basics ..................................... 101 Enumeration Techniques ................................... 104 Chapter Review ................................................... 109 Questions .................................................. 112 Answers .................................................... 115 ix 00-FM.indd 9 10/03/14 5:48 PM All-In-One / CEH™ Certified Ethical Hacker All-in-One Exam Guide / Matt Walker / 648-9/ FM CEH Certified Ethical Hacker All-in-One Exam Guide x Chapter 4 Sniffing and Evasion ............................................. 117 Fundamentals .................................................... 118 How It All Works ........................................... 118 Passive and Active Sniffing .................................. 127 Sniffing Tools and Techniques .................................... 130 Wireshark .................................................. 130 Other Tools ................................................ 134 Evasion ........................................................... 135 IDS ........................................................ 135 Firewalls ................................................... 143 Chapter Review ................................................... 146 Questions .................................................. 151 Answers .................................................... 154 Chapter 5 Attacking a System ............................................. 155 Getting Started ................................................... 156 Methodology ............................................... 156 Windows Security Architecture .............................. 158 Linux Security Architecture ................................. 164 Cracking Passwords ............................................... 170 Password 101 ............................................... 171 Password Attacks ........................................... 172 Privilege Escalation and Executing Applications ................... 179 Privilege Escalation ......................................... 180 Executing Applications ..................................... 183 Stealth ........................................................... 184 Hiding Files and Activity .................................... 184 Covering Your Tracks ....................................... 188 Chapter Review ................................................... 190 Questions .................................................. 194 Answers .................................................... 196 Chapter 6 Web-Based Hacking: Servers and Applications .................. 199 Attacking Web Servers ............................................ 200 Web Server Architecture ..................................... 200 Attack Methodology ........................................ 204 Web Server Attacks ......................................... 206 Attacking Web Applications ....................................... 211 Web Application Architecture ............................... 211 Application Attacks ......................................... 212 SQL Injection .............................................. 217 Chapter Review ................................................... 221 Questions .................................................. 224 Answers .................................................... 227 00-FM.indd 10 10/03/14 5:48 PM