Download the Full Version of textbook for Fast Typing at textbookfull.

com

CEH v10 Certified Ethical Hacker Study Guide 1st

Edition Ric Messier

https://textbookfull.com/product/ceh-v10-certified-ethical-
hacker-study-guide-1st-edition-ric-messier/

OR CLICK BUTTON

DOWNLOAD NOW

Download More textbook Instantly Today - Get Yours Now at textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

CEH Certified Ethical Hacker Exam Guide Matt Walker

https://textbookfull.com/product/ceh-certified-ethical-hacker-exam-
guide-matt-walker/

textboxfull.com

Certified Ethical Hacker (CEH) Version 10 Cert Guide

Michael Gregg

https://textbookfull.com/product/certified-ethical-hacker-ceh-
version-10-cert-guide-michael-gregg/

textboxfull.com

CEH Certified Ethical Hacker bundle Third Edition Walker

https://textbookfull.com/product/ceh-certified-ethical-hacker-bundle-
third-edition-walker/

textboxfull.com

Certified Ethical Hacker CEH Foundation Guide 1st Edition

Sagar Ajay Rahalkar (Auth.)

https://textbookfull.com/product/certified-ethical-hacker-ceh-
foundation-guide-1st-edition-sagar-ajay-rahalkar-auth/

textboxfull.com
Certified Ethical Hacker CEH Exam Cram 1st Edition Easttom
Ii

https://textbookfull.com/product/certified-ethical-hacker-ceh-exam-
cram-1st-edition-easttom-ii/

textboxfull.com

Certified Ethical Hacker (CEH) Exam Cram. 1st Edition

William Chuck Easttom.

https://textbookfull.com/product/certified-ethical-hacker-ceh-exam-
cram-1st-edition-william-chuck-easttom/

textboxfull.com

CEH Certified Ethical Hacker All in One Exam Guide Fourth

Edition 4th Edition Walker

https://textbookfull.com/product/ceh-certified-ethical-hacker-all-in-
one-exam-guide-fourth-edition-4th-edition-walker/

textboxfull.com

Cehv9: Certified Ethical Hacker Version 9 Oriyano

https://textbookfull.com/product/cehv9-certified-ethical-hacker-
version-9-oriyano/

textboxfull.com

Cehv9 Certified Ethical Hacker Version 9 Oriyano

https://textbookfull.com/product/cehv9-certified-ethical-hacker-
version-9-oriyano-2/

textboxfull.com
CEH v10
TM

Study Guide
 CEH v10
TM

Certified Ethical Hacker

Study Guide

Ric Messier,
CEH, GCIH, GSEC, CISSP
Development Editor: Kim Wimpsett
Technical Editors: Russ Christy and Megan Daudelin
Senior Production Editor: Christine O’Connor
Copy Editor: Judy Flynn
Editorial Manager: Pete Gaughan
Production Manager: Kathleen Wisor
Associate Publisher: Jim Minatel
Book Designers: Judy Fung and Bill Gibson
Proofreader: Louise Watson, Word One New York
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: Getty Images Inc. / Jeremy Woodhouse
Copyright © 2019 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-53319-1
ISBN: 978-1-119-53325-2 (ebk.)
ISBN: 978-1-119-53326-9 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-
ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)
646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department,
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or
online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-
ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor the author
shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this
work as a citation and/or a potential source of further information does not mean that the author or the
publisher endorses the information the organization or Web site may provide or recommendations it may
make. Further, readers should be aware that Internet Web sites listed in this work may have changed or
disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or
fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material
included with standard print versions of this book may not be included in e-books or in print-on-demand.
If this book refers to media such as a CD or DVD that is not included in the version you purchased, you
may download this material at http://booksupport.wiley.com. For more information about Wiley
products, visit www.wiley.com.
Library of Congress Control Number: 2019940400
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of
John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used
without written permission. CEH is a trademark of EC-Council. All other trademarks are the property of
their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned
in this book.
10 9 8 7 6 5 4 3 2 1
About the Author
Ric Messier,   GCIH, GSEC, CEH, CISSP, MS, has entirely too many letters after his name,
as though he spends time gathering up strays that follow him home at the end of the day.
His interest in information security began in high school but was cemented when he was
a freshman at the University of Maine, Orono, when he took advantage of a vulnerability
in a jailed environment to break out of the jail and gain elevated privileges on an IBM
mainframe in the early 1980s. His first experience with Unix was in the mid-1980s and
with Linux in the mid-1990s. Ric is an author, trainer, educator, and security professional
with multiple decades of experience. He is currently a Senior Information Security
Consultant with FireEye Mandiant and occasionally teaches courses at Harvard University
and the University of Colorado Boulder.
Contents at a Glance
Introduction xvii

Assessment Test xxiv

Chapter 1 Ethical Hacking 1

Chapter 2 Networking Foundations 9
Chapter 3 Security Foundations 49
Chapter 4 Footprinting and Reconnaissance 83
Chapter 5 Scanning Networks 135
Chapter 6 Enumeration 193
Chapter 7 System Hacking 233
Chapter 8 Malware 279
Chapter 9 Sniffing 321
Chapter 10 Social Engineering 357
Chapter 11 Wireless Security 387
Chapter 12 Attack and Defense 419
Chapter 13 Cryptography 447
Chapter 14 Security Architecture and Design 475

Appendix Answers to Review Questions 501

Index 531
Contents
Introduction xvii

Assessment Test xxiv

Chapter 1 Ethical Hacking 1

Overview of Ethics 2
Overview of Ethical Hacking 4
Methodology of Ethical Hacking 5
Reconnaissance and Footprinting 6
Scanning and Enumeration 6
Gaining Access 7
Maintaining Access 7
Covering Tracks 8
Summary 8

Chapter 2 Networking Foundations 9

Communications Models 11
Open Systems Interconnection 12
TCP/IP Architecture 15
Topologies 16
Bus Network 16
Star Network 17
Ring Network 18
Mesh Network 19
Hybrid 20
Physical Networking 21
Addressing 21
Switching 22
IP23
Headers 23
Addressing 25
Subnets 26
TCP 28
UDP 31
Internet Control Message Protocol 32
Network Architectures 33
Network Types 34
Isolation 35
Remote Access 36
x Contents

Cloud Computing 36
Storage as a Service 37
Infrastructure as a Service 39
Platform as a Service 40
Software as a Service 42
Internet of Things 43
Summary 44
Review Questions 46

Chapter 3 Security Foundations 49

The Triad 51
Confidentiality 51
Integrity 53
Availability 54
Parkerian Hexad 55
Risk 56
Policies, Standards, and Procedures 58
Security Policies 58
Security Standards 59
Procedures 60
Guidelines 60
Security Technology 61
Firewalls 61
Intrusion Detection Systems 65
Intrusion Prevention Systems 68
Security Information and Event Management 69
Being Prepared 70
Defense in Depth 71
Defense in Breadth 73
Logging 74
Auditing 76
Summary 78
Review Questions 79

Chapter 4 Footprinting and Reconnaissance 83

Open-Source Intelligence 85
Companies 85
People 93
Social Networking 97
Domain Name System 108
Name Lookups 109
Zone Transfers 115
Passive Reconnaissance 117
 Contents xi

Website Intelligence 120

Technology Intelligence 124
Google Hacking 125
Internet of Things (IoT) 126
Summary 128
Review Questions 130

Chapter 5 Scanning Networks 135

Ping Sweeps 137
Using fping 137
Using MegaPing 139
Port Scanning 141
Nmap 142
masscan 155
MegaPing 157
Vulnerability Scanning 159
OpenVAS 160
Nessus 171
Packet Crafting and Manipulation 177
hping 178
packETH 180
fragroute 183
Evasion Techniques 185
Summary 187
Review Questions 189

Chapter 6 Enumeration 193

Service Enumeration 195
Remote Procedure Calls 198
SunRPC 198
Remote Method Invocation 200
Server Message Block 204
Built-In Utilities 205
Nmap Scripts 207
Metasploit 209
Other Utilities 212
Simple Network Management Protocol 215
Simple Mail Transfer Protocol 217
Web-Based Enumeration 220
Summary 226
Review Questions 228
xii Contents

Chapter 7 System Hacking 233

Searching for Exploits 234
System Compromise 239
Metasploit Modules 239
Exploit-DB 243
Gathering Passwords 245
Password Cracking 248
John the Ripper 248
Rainbow Tables 250
Client-Side Vulnerabilities 253
Post Exploitation 255
Privilege Escalation 255
Pivoting 260
Persistence 262
Covering Tracks 265
Summary 272
Review Questions 274

Chapter 8 Malware 279

Malware Types 281
Virus 281
Worm 282
Trojan 284
Botnet 284
Ransomware 285
Dropper 286
Malware Analysis 287
Static Analysis 288
Dynamic Analysis 296
Creating Malware 305
Writing Your Own 305
Using Metasploit 308
Malware Infrastructure 311
Antivirus Solutions 314
Summary 314
Review Questions 316

Chapter 9 Sniffing 321

Packet Capture 322
tcpdump 323
tshark 329
Wireshark 331
Berkeley Packet Filter (BPF) 335
Port Mirroring/Spanning 336
 Contents xiii

Packet Analysis 337

Spoofing Attacks 342
ARP Spoofing 342
DNS Spoofing 346
sslstrip 348
Summary 350
Review Questions 352

Chapter 10 Social Engineering 357

Social Engineering 358
Pretexting 360
Social Engineering Vectors 362
Physical Social Engineering 362
Badge Access 363
Man Traps 364
Biometrics 365
Phone Calls 366
Baiting 367
Phishing Attacks 368
Website Attacks 371
Cloning 371
Rogue Attacks 374
Wireless Social Engineering 375
Automating Social Engineering 379
Summary 381
Review Questions 383

Chapter 11 Wireless Security 387

Wi-Fi 388
Wi-Fi Network Types 390
Wi-Fi Authentication 392
Wi-Fi Encryption 393
Bring Your Own Device (BYOD) 397
Wi-Fi Attacks 398
Bluetooth 407
Scanning 408
Bluejacking 409
Bluesnarfing 410
Bluebugging 410
Mobile Devices 411
Mobile Device Attacks 412
Summary 414
Review Questions 416
xiv Contents

Chapter 12 Attack and Defense 419

Web Application Attacks 420
XML External Entity Processing 422
Cross-Site Scripting (XSS) 423
SQL Injection 425
Command Injection 427
Denial of Service Attacks 428
Bandwidth Attacks 428
Slow Attacks 431
Legacy 432
Application Exploitation 433
Buffer Overflow 433
Heap Spraying 436
Lateral Movement 436
Defense in Depth/Defense in Breadth 438
Defensible Network Architecture 440
Summary 441
Review Questions 443

Chapter 13 Cryptography 447

Basic Encryption 449
Substitution Ciphers 449
Diffie-Hellman 452
Symmetric Key Cryptography 453
Data Encryption Standard (DES) 453
Advanced Encryption Standard (AES) 454
Asymmetric Key Cryptography 456
Hybrid Cryptosystem 456
Non-Repudiation 457
Elliptic Curve Cryptography 457
Certificate Authorities and Key Management 459
Certificate Authority 459
Trusted Third Party 462
Self-Signed Certificates 463
Cryptographic Hashing 465
PGP and S/MIME 467
Summary 469
Review Questions 471
 Contents xv

Chapter 14 Security Architecture and Design 475

Data Classification 476
Security Models 478
State Machine 478
Biba 479
Bell-LaPadula 480
Clark-Wilson Integrity Model 480
Application Architecture 481
n-tier Application Design 482
Service-Oriented Architecture 485
Cloud-Based Applications 487
Database Considerations 489
Security Architecture 492
Summary 495
Review Questions 497

Appendix Answers to Review Questions 501

Chapter 2: Networking Foundations 502
Chapter 3: Security Foundations 503
Chapter 4: Footprinting and Reconnaissance 506
Chapter 5: Scanning Networks 508
Chapter 6: Enumeration 511
Chapter 7: System Hacking 513
Chapter 8: Malware 515
Chapter 9: Sniffing 518
Chapter 10: Social Engineering 519
Chapter 11: Wireless Security 522
Chapter 12: Attack and Defense 524
Chapter 13: Cryptography 526
Chapter 14: Security Architecture and Design 528
Index 531
Introduction
You’re thinking about becoming a Certified Ethical Hacker (CEH). No matter what
variation of security testing you are performing—ethical hacking, penetration testing, red
teaming or application assessment—the skills and knowledge necessary to achieve this cer-
tification are in demand. Even the idea of security testing and ethical hacking is evolving as
businesses and organizations begin to have a better understanding of the adversaries they
are facing. It’s no longer the so-called script kiddies that businesses felt they were fending
off for so long. Today’s adversary is organized, well-funded, and determined. This means
testing requires different tactics.
Depending on who you are listening to, 80–90 percent of attacks today use social engi-
neering. The old technique of looking for technical vulnerabilities in network services is
simply not how attackers are getting into networks. Networks that are focused on applying
a defense in depth approach, hardening the outside, may end up being susceptible to attacks
from the inside, which is what happens when desktop systems are compromised. The skills
needed to identify vulnerabilities and recommend remediations are evolving, along with the
tactics and techniques used by attackers.
This book is written to help you understand the breadth of content you will need
to know to obtain the CEH certification. You will find a lot of concepts to provide
you a foundation that can be applied to the skills required for the certification. While
you can read this book cover to cover, for a substantial chunk of the subjects getting
hands-on experience is essential. The concepts are often demonstrated through the use
of tools. Following along with these demonstrations and using the tools yourself will
help you understand the tools and how to use them. Many of the demonstrations are
done in Kali Linux, though many of the tools have Windows analogs if you are more
comfortable there.
We can’t get through this without talking about ethics, though you will find it men-
tioned several places throughout the book. This is serious, and not only because it’s a huge
part of the basis for the certification. It’s also essential for protecting yourself and the
people you are working for. The very short version of it is do not do anything that would
cause damage to systems or your employer. There is much more to it than that, which you’ll
read more about in Chapter 1 as a starting point. It’s necessary to start wrapping your head
around the ethics involved in this exam and profession. You will have to sign an agreement
as part of achieving your certification.
At the end of each chapter, you will find a set of questions. This will help you to dem-
onstrate to yourself that you understand the content. Most of the questions are multiple
choice, which is the question format used for the CEH exam. These questions, along
with the hands-on experience you take advantage of, will be good preparation for taking
the exam.
xviii Introduction

What Is a CEH?
The Certified Ethical Hacker (CEH) exam is to validate that those holding the certification
understand the broad range of subject matter that is required for someone to be an effective
ethical hacker. The reality is that most days, if you are paying attention to the news, you
will see a news story about a company that has been compromised and had data stolen, a
government that has been attacked, or even enormous denial of service attacks, making it
difficult for users to gain access to business resources.
The CEH is a certification that recognizes the importance of identifying security issues
in order to get them remediated. This is one way companies can protect themselves against
attacks—by getting there before the attackers do. It requires someone who knows how to
follow techniques that attackers would normally use. Just running scans using automated
tools is insufficient because as good as security scanners may be, they will identify false
positives—cases where the scanner indicates an issue that isn’t really an issue. Additionally,
they will miss a lot of vulnerabilities—false negatives—for a variety of reasons, including
the fact that the vulnerability or attack may not be known.
Because companies need to understand where they are vulnerable to attack, they need
people who are able to identify those vulnerabilities, which can be very complex. Scanners
are a good start, but being able to find holes in complex networks can take the creative
intelligence that humans offer. This is why we need ethical hackers. These are people who
can take extensive knowledge of a broad range of technical subjects and use it to identify
vulnerabilities that can be exploited.
The important part of that two-word phrase, by the way, is “ethical.” Companies have
protections in place because they have resources they don’t want stolen or damaged. When
they bring in someone who is looking for vulnerabilities to exploit, they need to be certain
that nothing will be stolen or damaged. They also need to be certain that anything that
may be seen or reviewed isn’t shared with anyone else. This is especially true when it comes
to any vulnerabilities that have been identified.
The CEH exam, then, has a dual purpose. It not only tests deeply technical knowledge
but also binds anyone who is a certification holder to a code of conduct. Not only will you
be expected to know the content and expectations of that code of conduct, you will be
expected to live by that code. When companies hire or contract to people who have their
CEH certification, they can be assured they have brought on someone with discretion who
can keep their secrets and provide them with professional service in order to help improve
their security posture and keep their important resources protected.

The Subject Matter

If you were to take the CEH v10 training, you would have to go through the following
modules:
■■ Introduction to Ethical Hacking
■■ Footprinting and Reconnaissance
 Introduction xix

■■ Scanning Networks
■■ Enumeration
■■ Vulnerability Analysis
■■ System Hacking
■■ Malware Threats
■■ Sniffing
■■ Social Engineering
■■ Denial of Service
■■ Session Hijacking
■■ Evading IDSs, Firewalls, and Honeypots
■■ Hacking Web Servers
■■ Hacking Web Applications
■■ SQL Injection
■■ Hacking Wireless Networks
■■ Hacking Mobile Platforms
■■ IoT Hacking
■■ Cloud Computing
■■ Cryptography
As you can see, the range of subjects is very broad. Beyond knowing the concepts associ-
ated with these topics, you will be expected to know about various tools that may be used
to perform the actions associated with the concepts you are learning. You will need to
know tools like nmap for port scanning, for example. You may need to know proxy-based
web application attack tools. For wireless network attacks, you may need to know about
the aircrack-ng suite of tools. For every module listed above, there are potentially dozens of
tools that may be used.
The subject matter of the CEH exam is very technical. This is not a field in which you
can get by with theoretical knowledge. You will need to have had experience with the
methods and tools that are covered within the subject matter for the CEH exam. What you
may also have noticed here is that the modules all fall within the different stages mentioned
earlier. While you may not necessarily be asked for a specific methodology, you will find
that the contents of the exam do generally follow the methodology that the EC-Council
believes to be a standard approach.

About the Exam

The CEH exam has much the same parameters as other professional certification exams.
You will take a computerized, proctored exam. You will have 4 hours to complete
125 questions. That means you will have, on average, roughly 2 minutes per question.
xx Introduction

The questions are all multiple choice. The exam can be taken through the ECC Exam
Center or at a Pearson VUE center.
Should you wish to take your certification even further, you could go after the CEH
Practical exam. For this exam you must perform an actual penetration test and write a
report at the end of it. This demonstrates that in addition to knowing the body of material
covered by the exam, you can put that knowledge to use in a practical way. You will be
expected to know how to compromise systems and identify vulnerabilities.
In order to pass the exam, you will have to correctly answer questions, though the
actual number of questions you have to answer correctly will vary. The passing grade varies
depending on the difficulty of the questions asked. The harder the questions that are asked
out of the complete pool of questions, the fewer questions you need to get right to pass the
exam. If you get easier questions, you will need to get more of the questions right to pass.
There are some sources of information that will tell you that you need to get 70 percent of
the questions right, and that may be okay for general guidance and preparation as a rough
low-end marker. However, keep in mind that when you sit down to take the actual test at
the testing center, the passing grade will vary.
The good news is that you will know whether you passed before you leave the testing
center. You will get your score when you finish the exam and you will also get a piece of
paper indicating the details of your grade. You will get feedback associated with the differ-
ent scoring areas and how you performed in each of them.

Who Is Eligible
Not everyone is eligible to sit for the CEH exam. Before you go too far down the road, you
should check your qualifications. Just as a starting point, you have to be at least 18 years of
age. The other eligibility standards are as follows:
■■ Anyone who has versions 1–7 of the CEH certification. CEH certification (or exam?) is
ANSI certified now, but early versions of the exam were available before the certifica-
tion. Anyone who wants to take the ANSI-accredited certification who has the early
version of the CEH certification can take the exam.
■■ Minimum of two years of related work experience. Anyone who has the experience
will have to pay a non-refundable application fee of $100.
■■ Have taken an EC-Council training.
If you meet these qualification standards, you can apply for the certification, along with
paying the fee if it is applicable to you (if you take one of the EC-Council trainings, the fee
is included). The application will be valid for three months.

Exam Cost
In order to take the certification exam, you need to pay for a Pearson VUE exam
voucher. The cost of this is $1,199. You could also obtain an EC-Council voucher for
 Introduction xxi

$950, but that requires that you have taken EC-Council training and can provide a
Certificate of Attendance.

About EC-Council
The International Council of Electronic Commerce Consultants is more commonly
known as the EC-Council. It was created after the airplane attacks that happened
against the United States on 9/11/01. The founder, Jay Bavisi, wondered what would
happen if the perpetrators of the attack decided to move from the kinetic world to the
digital world. Even beyond that particular set of attackers, the Internet has become
a host to a large number of people who are interested in causing damage or stealing
­i nformation. The economics of the Internet, meaning the low cost of entry into the
business, encourage criminals to use it as a means of stealing information, ransoming
data, or other malicious acts.
The EC-Council is considered to be one of the largest certifying bodies in the world.
They operate in 145 countries and have certified more than 200,000 people. In addition to
the CEH, the EC-Council also administers a number of other IT-related certifications. They
manage the following certifications:
■■ Certified Network Defender (CND)
■■ Certified Ethical Hacker (CEH)
■■ Certified Ethical Hacker Practical
■■ EC-Council Certified Security Analyst (ECSA)
■■ EC-Council Certified Security Analyst Practical
■■ Licensed Penetration Tester (LPT)
■■ Computer Hacking Forensic Investigator (CHFI)
■■ Certified Chief Information Security Officer (CCISO)
One advantage to holding a certification from the EC-Council is that the orga-
nization has been accredited by the American National Standards Institute (ANSI).
Additionally, and perhaps more importantly for potential certification holders, the
certifications from EC-Council are recognized worldwide and have been endorsed by
governmental agencies like the National Security Agency (NSA). The Department of
Defense Directive 8570 includes the CEH certification. This is important because hav-
ing the CEH certification means that you could be quickly qualified for a number of
positions with the United States government.
The CEH certification provides a bar. This means that there is a set of known standards.
In order to obtain the certification, you will need to have met at least the minimal standard.
These standards can be relied on consistently. This is why someone with the CEH certifica-
tion can be trusted. They have demonstrated that they have met known and accepted stan-
dards of both knowledge and professional conduct.
xxii Introduction

Using This Book

This book is structured in a way that foundational material is up front. With this approach,
you can make your way in an orderly fashion through the book, one chapter at a time.
Technical books can be dry and difficult to get through sometimes, but it’s always my goal
to try to make them easy to read and hopefully entertaining along the way. If you already
have a lot of experience, you don’t need to take the direct route from beginning to end. You
can skip around as you need to. No chapter relies on any other. They all stand alone with
respect to the content. However, if you don’t have the foundation and try to jump to a later
chapter, you may find yourself getting lost or confused by the material. All you need to do
is jump back to some of the foundational chapters.
Beyond the foundational materials, the book generally follows a fairly standard meth-
odology when it comes to performing security testing. This methodology will be further
explained in Chapter 1. As a result, you can follow along with the steps of a penetration
test/ethical hacking engagement. Understanding the outline and reason for the methodol-
ogy will also be helpful to you. Again, though, if you know the material, you can move
around as you need to.

Objective Map
Table I.1 contains an objective map to show you at a glance where you can find each objec-
tive covered. While there are chapters listed for all of these, there are some objectives that
are scattered throughout the book. Specifically, tools, systems, and programs get at least
touched on in most of the chapters.

Ta b l e I .1 Objective Map

Objective Chapter

Tasks

1.1 Systems development and management 7, 14

1.2 Systems analysis and audits 4, 5, 6, 7

1.3 Security testing and vulnerabilities 7, 8

1.4 Reporting 1, 7

1.5 Mitigation 7, 8

1.6 Ethics 1
 Introduction xxiii

Objective Chapter

Knowledge

2.1 Background 2, 3

2.2 Analysis/assessment 2, 11

2.3 Security 3, 13, 14

2.4 Tools, systems, programs 4, 5, 6, 7

2.5 Procedures/methodology 1, 4, 5, 6, 7, 14

2.6 Regulation/policy 1, 14

2.7 Ethics 1

On the Day of the Exam

Plan to arrive at your test center at least 30 minutes before your exam start time. To check
in, you’ll need to:
■■ Show two (2) valid, unexpired forms of personal ID (examples include: government
issued IDs, passport, etc.). Both must have your signature, and one of the two must
have your photo. For more information about acceptable IDs please visit: https://
www.isc2.org/Register-for-Exam, and look under the What You Need to Bring to the
Test Center tab for more information.
■■ Provide your signature.
■■ Submit to a palm vein scan (unless it’s prohibited by law).
■■ Have your photo taken. Hats, scarves, and coats may not be worn for your photo. You
also can’t wear these items in the test room.
The Test Administrator (TA) will give you a short orientation. If you have already arranged
for special accommodations for your testing, and (ISC)2 and Pearson VUE have approved them,
be sure to go over these with the TA. Then, the TA will escort you to a computer terminal.

Let’s Get Started!

This book is structured in a way that you will be led through foundational concepts and then
through a general methodology for ethical hacking. You can feel free to select your own path-
way through the book. Remember, wherever possible, get your hands dirty. Get some experi-
ence with tools, tactics, and procedures that you are less familiar with. It will help you a lot.
Take the self-assessment. It may help you get a better idea how you can make the best
use of this book.
Assessment Test
1. Which header field is used to reassemble fragmented IP packets?
A. Destination address
B. IP identification
C. Don’t fragment bit
D. ToS field

2. If you were to see the following in a packet capture, what would you expect was happening?
‘ or 1=1;
A. Cross-site scripting
B. Command injection
C. SQL injection
D. XML external entity injection

3. What method might you use to successfully get malware onto a mobile device?
A. Through the Apple Store or Google Play Store
B. External storage on an Android
C. Third-party app store
D. Jailbreaking

4. What protocol is used to take a destination IP address and get a packet to a destination on
the local network?
A. DHCP
B. ARP
C. DNS
D. RARP

5. What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable
that has been allocated space for 8 bytes?
A. Heap spraying
B. SQL injection
C. Buffer overflow
D. Slowloris attack

6. If you were to see the subnet mask 255.255.248.0, what CIDR notation (prefix) would you
use to indicate the same thing?
A. /23
B. /22
C. /21
D. /20
 Assessment Test xxv

7. What is the primary difference between a worm and a virus?

A. A worm uses polymorphic code
B. A virus uses polymorphic code
C. A worm can self-propagate
D. A virus can self-propagate

8. How would you calculate risk?

A. Probability * loss
B. Probability * mitigation factor
C. (Loss + mitigation factor) * (loss/probability)
D. Probability * mitigation factor

9. How does an evil twin attack work?

A. Phishing users for credentials
B. Spoofing an SSID
C. Changing an SSID
D. Injecting four-way handshakes

10. In order to remove malware in the network before it gets to the endpoint, you would use
which of the following?
A. Antivirus
B. Application layer gateway
C. Unified threat management appliance
D. Stateful firewall

11. What is the purpose of a security policy?

A. Providing high-level guidance on the role of security
B. Providing specific direction to security workers
C. Increasing the bottom line of a company
D. Aligning standards and practices

12. What has been done to the following string? %3Cscript%3Ealert(‘wubble’);%3C/

script%3E
A. Base64 encoding
B. URL encoding
C. Encryption
D. Cryptographic hashing

13. What would you get from running the command dig ns domain.com?
A. Mail exchanger records for domain.com
B. Name server records for domain.com
C. Caching name server for domain.com
D. IP address for the hostname ns
xxvi Assessment Test

14. What technique would you ideally use to get all of the hostnames associated with a
domain?
A. DNS query
B. Zone copy
C. Zone transfer
D. Recursive request

15. If you were to notice operating system commands inside a DNS request while looking at a
packet capture, what might you be looking at?
A. Tunneling attack
B. DNS amplification
C. DNS recursion
D. XML entity injection

16. What would be the purpose of running a ping sweep?

A. You want to identify responsive hosts without a port scan.
B. You want to use something that is light on network traffic.
C. You want to use a protocol that may be allowed through the firewall.
D. All of the above.

17. How many functions are specified by NIST’s cybersecurity framework?

A. 0
B. 3
C. 5
D. 4

18. What would be one reason not to write malware in Python?

A. Python interpreter is slow.
B. Python interpreter may not be available.
C. There is inadequate library support.
D. Python is a hard language to learn.

19. If you saw the following command line, what would you be capturing?
tcpdump -i eth2 host 192.168.10.5
A. Traffic just from 192.168.10.5
B. Traffic to and from 192.168.10.5
C. Traffic just to 192.168.10.5
D. All traffic other than from 192.168.86.5
 Assessment Test xxvii

20. What is Diffie-Hellman used for?

A. Key management
B. Key isolation
C. Key exchange
D. Key revocation

21. Which social engineering principle may allow a phony call from the help desk to
be effective?
A. Social proof
B. Imitation
C. Scarcity
D. Authority

22. How do you authenticate with SNMPv1?

A. Username/password
B. Hash
C. Public string
D. Community string

23. What is the process Java programs identify themselves to if they are sharing procedures
over the network?
A. RMI registry
B. RMI mapper
C. RMI database
D. RMI process

24. What do we call an ARP response without a corresponding ARP request?

A. Is-at response
B. Who-has ARP
C. Gratuitous ARP
D. IP response

25. What are the three times that are typically stored as part of file metadata?
A. Moves, adds, changes
B. Modified, accessed, deleted
C. Moved, accessed, changed
D. Modified, accessed, created
xxviii Assessment Test

26. Which of these is a reason to use an exploit against a local vulnerability?

A. Pivoting
B. Log manipulation
C. Privilege escalation
D. Password collection

27. What principle is used to demonstrate that a signed message came from the owner of the
key that signed it?
A. Non-repudiation
B. Non-verifiability
C. Integrity
D. Authority

28. What is a viable approach to protecting against tailgaiting?

A. Biometrics
B. Badge access
C. Phone verification
D. Man traps

29. Why is bluesnarfing potentially more dangerous than bluejacking?

A. Bluejacking sends while bluesnarfing receives.
B. Bluejacking receives while bluesnarfing sends.
C. Bluejacking installs keyloggers.
D. Bluesnarfing installs keyloggers.

30. Which of the security triad properties does the Biba security model relate to?
A. Confidentiality
B. Integrity
C. Availability
D. All of them
Answers to Assessment Test
1. B. The destination address is used as the address to send messages to. The don’t fragment
bit is used to tell network devices not to fragment the packet. The Type of Service (ToS)
field can be used to perform quality of service. The IP identification field is used to identify
fragments of the same packet, as they would all have the same IP identification number.

2. C. A SQL injection attack makes use of SQL queries, which can include logic that may
alter the flow of the application. In the example provided, the intent is to force the result of
the SQL query to always return a true. It is quoted the way it is to escape the existing query
already in place in the application. None of the other attacks use a syntax that looks like
the example.

3. C. The Apple App Store and the Google Play Store are controlled by Apple and Google. It’s
not impossible to get malware onto mobile devices that way, but it’s very difficult because
apps get run through a vetting process. While some Android devices will support external
storage, it’s not an effective way to get malware onto a smartphone or other mobile device.
Jailbreaking can lead to malware being installed but it’s not the means to get malware onto
a mobile device. Third-party app stores can be a good means to get malware onto mobile
devices because some third-party app stores don’t vet apps that are submitted.

4. B. DHCP is used to get IP configuration to endpoints. DNS is used to resolve a hostname

to an IP address and vice versa. RARP is the reverse address protocol used to take a MAC
address and resolve it to an IP address. ARP is used to resolve an IP address to a MAC
address. Communication on a local network requires the use of a MAC address. The IP
address is used to get to systems off the local network.

5. C. Heap spraying uses dynamically allocated space to store attack code. A slowloris attack
is used to hold open web server connection buffers. A SQL injection will be used to inject
SQL queries to the database server. A buffer overflow sends more data into the application
than space has been allocated for.

6. B. A /23 network would be 255.255.254.0. A /22 would be 255.255.252. A /20 would be

255.255.240.0. Only a /21 would give you a 255.255.248.0 subnet mask.

7. C. Both worms and viruses could be written to use polymorphic code, which means they
could modify what they look like as they propagate. A worm, though, could self-propagate.
It’s the one distinction between worms and viruses. Viruses require some intervention on
the part of the user to propagate and execute.

8. A. Risk is the probability of the occurrence of an event multiplied by the dollar value
of loss. There is no mitigation factor that is quantified so it could be put into a risk
­calculation.

9. B. An evil twin attack uses an access point masquerading to be the point of connection
for stations trying to connect to a legitimate wireless network. Stations reach out to make
connections to this access point masquerading as another access point. While you may
phish for credentials as part of an evil twin attack, credential phishing is not how evil twin
Exploring the Variety of Random
Documents with Different Content
 XLVII
We pity those who lived three hundred years ago, as if the world
was hardly then awake, and they were condemned to feel their way
and drag out an inanimate existence in the obscure dawn of manners
and civilization: we forsooth are at the meridian, and the ages that
are to follow are dark night. But if there were any truth in our theory,
we should be as much behind-hand and objects of scorn to those who
are to come after us, as we have a fancied advantage over those that
have preceded us. Supposing it to be a misfortune to have lived in the
age of Raphael or Virgil, it would be desirable (if it were possible)
still to postpone the period of our existence sine die: for the value of
time must mount up, as it proceeds, through the positive,
comparative, and superlative degrees. Common sense with a little
reflection will teach us, that one age is as good as another; that in
familiar phrase we cannot have our cake and eat it; and that there is
no time like the time present, whether in the first, the tenth or the
twentieth century.
 XLVIII
The world does not start fair in the race of time: one country has
run its course before another has set out or even been heard of.
Riches, luxury, and the arts, reach their utmost height in one place,
while the rest of the globe is in a crude and barbarous state; decline
thenceforward, and can no more be resuscitated than the dead. The
twelve old Etruscan cities are stone-walls, surrounded with heaps of
cinders: Rome is but the tomb of its ancient greatness. Venice,
Genoa, are extinct; and there are those who think that England has
had her day. She may exclaim in the words of Gray’s Bard—‘To
triumph and to die are mine.’ America is just setting out in the path
of history, on the model of England, without a language of its own,
and with a continent instead of an island to run its career in—like a
novice in the art, who gets a larger canvass than his master ever had
to cover with his second-hand designs.
 XLIX
It was shrewdly observed that the ruin of states commences with
the accumulation of people in great cities, which conceal and foster
vice and profligacy.
 L
The world, said a sensible man, does not on the whole grow much
worse, nor abandon itself to absolute licentiousness, because as
people have children growing up, they do not wish them to be
reprobates; but give them good advice and conceal their failings from
them. This in each successive generation brings morality on its legs
again, however sceptical in virtue or hardened in vice the old may
become through habit or bad example.
 LI
As children puzzle you by asking explanations of what they do not
understand, many grown people shine in company and triumph over
their antagonists by dint of ignorance and conceit.
 LII
A certain bookseller wanted Northcote to write a history of art in
all ages and countries, and in all its ramifications and collateral
bearings. It would have taken a life to execute it; but the projector
thought it was as easy to make the book as to draw up the title-page.
Some minds are as sanguine from a want of imagination, as others
are from an excess of it; they see no difficulty or objection in the way
of what they undertake, and are blind to every thing but their own
interest and wishes.
 LIII
An outcry is raised against the distresses of literature as a tax upon
the public, and against the sums of money and unrepaid loans which
authors borrow of strangers or friends. It is not considered that but
for authors we should still have been in the hands of tyrants, who
rioted in the spoil of widows and orphans, and swept the fortunes of
individuals and the wealth of provinces into their pouch. It will be
time enough to be alarmed when the Literary Fund has laid its iron
grasp on fat abbey lands and portly monasteries for the poor
brethren of the Muses, has establishments like those of the
Franciscan and Dominican Friars for its hoary veterans or tender
novices, and has laid half the property of the country under
contribution. Authors are the ideal class of the present day, who
supply the brains of the community with ‘fancies and good-nights,’ as
the priests did of old; and who cultivating no goodly vineyard of their
own to satisfy the wants of the body, are sometimes entitled, besides
their pittance, to ask the protection of taste or liberality. After all, the
fees of Parnassus are trifling in comparison with the toll of
Purgatory.
 LIV
There are but few authors who should marry: they are already
wedded to their studies and speculations. Those who are accustomed
to the airy regions of poetry and romance, have a fanciful and
peculiar standard of perfection of their own, to which realities can
seldom come up; and disappointment, indifference, or disgust, is too
often the result. Besides, their ideas and their intercourse with
society make them fit for the highest matches. If an author, baulked
of the goddess of his idolatry, marries an ignorant and narrow-
minded person, they have no language in common: if she is a
bluestocking, they do nothing but wrangle. Neither have most
writers the means to maintain a wife and family without difficulty.
They have chosen their part, the pursuit of the intellectual and
abstracted; and should not attempt to force the world of reality into a
union with it, like mixing gold with clay. In this respect, the Romish
priests were perhaps wiser. ‘From every work they challenged essoin
for contemplation’s sake.’ Yet their celibacy was but a compromise
with their sloth and supposed sanctity. We must not contradict the
course of nature, after all.
 LV
There is sometimes seen more natural ease and grace in a common
gipsy-girl than in an English court-circle. To demand a reason why,
is to ask why the strolling fortune-teller’s hair and eyes are black, or
her face oval.
 LVI
The greatest proof of pride is its being able to extinguish envy and
jealousy. Vanity produces the latter effect on the continent.
 LVII
When you speak of the popular effect and enthusiasm produced by
the ceremonies of the Catholic church, it is presently objected that all
this faith and zeal is excited by mummery and superstition. I am
ready to allow that; and when I find that truth and reason have the
same homage and reverence paid to them as absurdity and
falsehood, I shall think all the advantages are clearly on the side of
the former. The processes of reason do not commonly afford the
elements of passion as their result; and the object of strong and even
lofty feeling seems to appeal rather to the grossness and incongruity
of the senses and imagination, than to the clear and dry deductions
of the understanding. Man has been truly defined a religious animal;
but his faith and heavenward aspirations cease if you reduce him to a
mere mathematical machine. The glory and the power of the true
religion are in its enlisting the affections of man along with the
understanding.
 LVIII
We are imposed upon by the affectation of grace and gentility only
till we see the reality; and then we laugh at the counterfeit, and are
surprised that we did not see through it before.
 LIX
English women, even of the highest rank, look like dowdies in
Paris; or exactly as countrywomen do in London. It is a rule-of-three
proportion. A French milliner or servant maid laughs (not without
reason) at an English Duchess. The more our fair country women
dress à la Française, the more unlucky they seem; and the more
foreign graces they give themselves, the more awkward they grow.
They want the tournure Françoise. Oh! how we have ‘melted,
thawed, and dissolved into a dew,’ to see a bustling, red-faced, bare-
necked English Duchess, or banker’s wife, come into a box at the
French theatre, bedizened and bedaubed! My Lady-mayoress or the
Right Honourable the Countess Dowager of ——, before she ventures
on the word vulgar, or scorns her untitled and untutored neighbours
as beneath her notice, should go to see les Angloises pour rire! That
is the looking-glass for upstart wealth and inflated aristocracy.
 LX
The advantage of our nobility over the plebeian classes is said to be
in the blood and in the breed—the Norman breed, we suppose—the
high noses and arched eyebrows date from the Conquest. We plead
guilty to the insinuation conveyed in the expression—‘the coronet
face’—and bow with some sort of pride to the pride of birth. But this
hypothesis is hardly compatible with the evident improvement in the
present generation of noblemen and gentlemen by the
intermarriages with rich heiresses, or the beautiful Pamelas of an
humbler stock. Crossing the breed has done much good; for the
actual race of Bond-street loungers would make a very respectable
regiment of grenadiers; and the satire on Beau Didapper, in
Fielding’s Joseph Andrews, has lost its force.
 LXI
The tone of society in Paris is very far from John Bullish. They do
not ask what a man is worth, or whether his father is owner of a tin-
mine or a borough—but what he has to say, whether he is amiable
and spirituel. In the case (unless a marriage is on the tapis) no one
inquires whether his account at his banker’s is high or low; or
whether he has come in his carriage or on foot. An English soldier of
fortune, or a great traveller, is listened to with some attention as a
marked character; while a booby lord is no more regarded than his
own footman in livery. The blank after a man’s name is expected to
be filled up with talent or adventures, or he passes for what he really
is, a cypher.
 LXII
Our young Englishmen in Paris do not make much figure in the
society of Frenchmen of education and spirit. They stumble at the
threshold in point of manners, dress, and conversation. They have
not only to learn the language, but to unlearn almost every thing
else. Both words and things are different in France; our raw recruits
have to get rid of a host of prejudices, and they do it awkwardly and
reluctantly, and if they attempt to make a regular stand, are
presently out-voted. The terms gothic and barbarous are talisman to
strike them dumb. There is, moreover, a clumsiness in both their wit
and advances to familiarity, that the spiteful brunettes on the other
side of the water do not comprehend, and that subjects them to
constant sneers; and every false step adds to their confusion and
want of confidence. But their lively antagonists are so flushed with
victory and victims to their loquacity and charms, that they are not
contented to lecture them on morals, metaphysics, sauces, and virtù,
but proceed to teach them the true pronunciation and idiom of the
English tongue. Thus a smart French widow having blundered by
saying, ‘I have never made a child;’ and perceiving that it excited a
smile, maintained, for three whole days, against a large company,
that it was better than saying, ‘I never had a child.’
 LXIII
The Parisian trip (say what they will) is not grace. It is the motion
of a puppet, and may be mimicked, which grace cannot. It may be
different from the high, heavy-heeled walk of the Englishwoman. Is it
not equally remote from the step (if step it may be called) of an
Andalusian girl?
 LXIV
It has been often made a subject of dispute, What is the
distinguishing characteristic of man? And the answer may, perhaps,
be given that he is the only animal that dresses. He is the only being
who is coxcomb enough not to go out of the world naked as he came
into it; that is ashamed of what he really is, and proud of what he is
not; and that tries to pass off an artificial disguise as himself. We
may safely extend the old maxim, and say that it is the tailor that
makes both the gentleman and the man. Fine feathers make fine
birds—this lie is the motto of the human mind. Dress a fellow in
sheepskin, and he is a clown—dress him in scarlet, and he is a
gentleman. It is then the clothes that makes all the difference; and
the moral agent is simply the lay-figure to hang them on. Man, in
short, is the only creature in the known world, with whom
appearances pass for realities, words for things; or that has the wit to
find out his own defects, and the impudence and hypocrisy, by
merely concealing them, to persuade himself and others that he has
them not. Teniers’s monkeys, habited like monks, may be thought a
satire on human nature—alas! it is a piece of natural history. The
monks are the larger and more solemn species, to be sure. Swift has
taken a good bird’s eye view of man’s nature, by abstracting the
habitual notions of size, and looking at it in great or in little: would
that some one had the boldness and the art to do a similar service, by
stripping off the coat from his back, the vizor from his thoughts, or
by dressing up some other creature in similar mummery! It is not his
body alone that he tampers with, and metamorphoses so
successfully; he tricks out his mind and soul in borrowed finery, and
in the admired costume of gravity and imposture. If he has a desire
to commit a base or cruel action without remorse and with the
applause of the spectators, he has only to throw the cloak of religion
over it, and invoke Heaven to set its seal on a massacre or a robbery.
At one time dirt, at another indecency, at another rapine, at a fourth
rancorous malignity, is decked out and accredited in the garb of
sanctity. The instant there is a flaw, a ‘damned spot’ to be concealed,
it is glossed over with a doubtful name. Again, we dress up our
enemies in nicknames, and they march to the stake as assuredly as in
san Benitos. The words Heretic or Papist, Jew or Infidel, labelled on
those who differ from us, stand us in lieu of sense or decency. If a
man be mean, he sets up for economy; if selfish, he pretends to be
prudent; if harsh, firm; and so on. What enormities, what follies are
not undertaken for the love of glory?—and the worst of all, are said to
be for the glory of God! Strange, that a reptile should wish to be
thought an angel; or that he should not be content to writhe and
grovel in his native earth, without aspiring to the skies! It is from the
love of dress and finery. He is the Chimney-sweeper on May-day all
the year round: the soot peeps through the rags and tinsel, and all
the flowers of sentiment!
 LXV
The meaning of all which is, that man is the only hypocrite in the
creation; or that he is composed of two natures, the ideal and the
physical, the one of which he is always trying to keep a secret from
the other. He is the Centaur not fabulous.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com