This document provides a study cheat sheet for the CEH v9 certification. It includes definitions and explanations of various cybersecurity topics like subnet addressing, types of network attacks (teardrop, SMURF, FRAGGLE), TCP/UDP ports, malware types (bot, worm), and network protocols (NTP, DNS). It also provides summaries of NIST risk assessment methodology, Microsoft SDL practices, and wireless security protocols (WPA, WPA2, CCMP). Finally, it includes questions about tools (Nmap, Nikto, NetStumbler), OS exploits (WebGoat), and compliance requirements (PCI DSS).

1. Dave Sweigert,
CISA, CISSP, HCISPP, PCIP, PMP, SEC+
Study cheat sheet for CEH v9
 Directive Control – Example: distributing a policy that forbids personal devices.
 192.168.2.32/27 Subnet address. /27 indicates that 27 bits belong to the 32 bit
IP address. Thus, the host portion of the I.P. address is made up of the
remaining bits. Use the formula 2 to the n power to determine the number of
addresses defined by a subnet mask. A /27 subnet mask uses 5 bits for host
addresses, so 2 to the power of 5 equals 32 addresses for the subnet.
 What is a teardrop attack? During a teardrop attack, attacker sends several
large overlapping IP fragments.
 What is a SMURF attack? Attacker pings broadcast address by sending ICMP
echo request packets from a forged source address (which will receive the
replies from the ICMP echo requests). Each device that received the forged
source address will response with an echo request to that address, flooding the
source (target).
 What is a FRAGGLE attack? Attacker sends forged UDP echo and chargen
(character generator) packets with a forged source address.
A hostmay connectto a serverthat supportsthe CharacterGeneratorProtocol on either
TransmissionControl Protocol (TCP) orUserDatagram Protocol (UDP) port number19. Upon
openingaTCP connection,the serverstartssendingarbitrarycharacterstothe connecting
hostand continuesuntil the hostclosesthe connection.Inthe UDP implementationof the
protocol,the serversendsaUDP datagram containinga randomnumber(between0and 512)
of characterseverytime itreceivesadatagramfrom the connectinghost.Anydatareceived
by the serverisdiscarded.
https://en.wikipedia.org/wiki/Character_Generator_Protocol
 Why would someone operate TCP over DNS (port 53)? To vade firewall
inspection by creating a tunnel via Port 53. There are TCP-over-DNS tools that
accomplish this task.
 Describe a characteristic of block ciphers: Block ciphers encrypt specific blocks
of data. WARNING: block ciphers are NOT faster than stream ciphers.

2.  Describe a sparse infector virus. Sparse infector viruses are executed only when
a specific condition is met. They are conditional virus.
sparse infector virus
Also known as a sparse virus, a type of virus that only infects files when certain
conditions are met. Examples include viruses that infect files only on their 10th
execution or viruses that target files with a maximum size of 128 KB. These viruses
use the conditions to infect less often and therefore avoid detection.
http://en.termwiki.com/EN/sparse_infector_virus
 Why can’t the Windows Traceroute program guarantee response times and
packets? Traceroute uses ICMP packets and many routers and firewalls are
configured to drop ICMP packets. Thus, Traceroute cannot guarantee responses
from devices with ICMP packets.
 PCI DSS question. What tests must be performed at least quarterly to maintain
compliance with Requirement 11? 1) internal and external vulnerability scans, 2)
unauthorized Wireless Access Point 9WAP) detection.
PCI DSS requirement 11.1 mandates the use of wireless scanners in your
cardholder environment on at least a quarterly basis to ensure that rogue
wireless networks are not present. The text of the requirement reads “Test for
the presence of wireless access points by using a wireless analyzer at least
quarterly or deploying a wireless IDS/IPS to identify all wireless devices in
use.”
11.2 Run internal and external network vulnerability scans at least quarterly
and after any significant change in the network (such as new system
component installations, changes in network topology, firewall rule
modifications, product upgrades). (Source: PCI DSS v3.0, p. 91)
 Wireshark filter question. What filter will display traffic TO and FROM
192.168.10.0/24? ip.src==192.168.10/24 or ip.dst==192.168.10.0/24 and
ip.addr==192.168.10.0/24

3. Filtering IP Address in Wireshark:
(1)single IP filtering:
 ip.addr==X.X.X.X
 ip.src==X.X.X.X
 ip.dst==X.X.X.X
(2)Multiple IP filtering based on logical conditions:
 OR condition:
 (ip.src==192.168.2.25)||(ip.dst==192.168.2.25)
 AND condition:
 (ip.src==192.168.2.25) && (ip.dst==74.125.236.16)
 What platforms can NETSTUMBLER operate on? NetStumbler can only be
installed on Windows platforms. It will not install on Mac O/S or Linux.
Additionally, NetStumbler DOES NOT support 802.11n mode nor will it support
monitor mode (passive monitoring).
 NIST SP 800-30. What is the first step in the NIST 800-30 risk assessment?
System characterization.
Step 1. System Characterization
The firststepin assessingriskistodefine the scope of the effort. Todo this,identifywhere
ePHI iscreated,received,maintained,processed,ortransmitted.
Step 2. Threat Identification
For thisstep,potential threats(the potential forthreat-sourcestosuccessfullyexercise a
particularvulnerability) are identifiedanddocumented.
Step 3. VulnerabilityIdentification
The goal of thisstepis to developalistof technical andnon-technical systemvulnerabilities
(flawsorweaknesses) thatcouldbe exploitedortriggeredbythe potential threat-sources.
Step 4. Control Analysis
The goal of thisstepis to documentandassessthe effectivenessof technical andnon-
technical controlsthathave beenorwill be implementedbythe organizationtominimizeor
eliminatethe likelihood(orprobability)of athreat-source exploitingasystemvulnerability.
Step 5. LikelihoodDetermination
The goal of thisstepis to determine the overall likelihoodratingthatindicatesthe probability
that a vulnerabilitycouldbe exploitedbyathreat-source giventhe existingorplanned
securitycontrols.
Step 6. Impact Analysis
The goal of thisstepis to determine the level of adverse impactthatwouldresultfroma
threatsuccessfullyexploitingavulnerability.
Step 7. Risk Determination
By multiplyingthe ratingsfromthe likelihooddeterminationandimpactanalysis,arisklevelis
determined.

4.  Signs of unauthorized data on a device?
a. User created data in the HPA
b. A file created with steganography with data in it
c. A file header that does not match the extension.
 What are the scripting languages: PERL, RUBY, JAVA.
 What is a false negative? A false negative occurs when an IPS or IDS does not
identify malicious traffic entering the network.
 What type of malware can propagate without human interaction? BOT and
WORM. A worm can self-propagate and replicate itself within the infected
operating system of the target. A bot can self-propagate to establish a
connection with a mother ship and create a zombie device.
 What is a hyper-visor root kit? Allows the migration of the O/S in a virtual
machine; thus allowing concealment of malicious programs within the VM.
Hyper-visor level root-kits install themselves between the hardware layer and the
O/S.
A hypervisorrootkitdoesnothave tomake anymodificationstothe kernel of the targetto
subvertit;however,thatdoesnotmeanthat itcannot be detectedbythe guestoperating
system.Forexample,timingdifferencesmaybe detectablein CPUinstructions.
https://en.wikipedia.org/wiki/Rootkit
 Which protocol uses Port 123? Network Time Protocol (NTP).
 Name three practices that take place in the DESIGN stage of the Microsoft
Security Development Lifecycle: Establish design requirements, Perform attack
service analysis and reduction and Use threat modeling.
 SDL Practice #5: Establish Design Requirements Considering security
and privacy concerns early helps minimize the risk of schedule
disruptions and reduce a project's expense.
 SDL Practice #6: Attack Surface Analysis/Reduction Reducing the
opportunities for attackers to exploit a potential weak spot or
vulnerability requires thoroughly analyzing overall attack surface and
includes disabling or restricting access to system services, applying the
principle of least privilege, and employing layered defenses wherever
possible.
 SDL Practice #7: Use Threat Modeling Applying a structured approach
to threat scenarios during design helps a team more effectively and less

5. expensively identify security vulnerabilities, determine risks from those
threats, and establish appropriate mitigations.
http://www.microsoft.com/en-us/SDL
 Which DNS record is used to translate an IP address from a hostname? A
DNS Syntax Types Explained
An “A” record, which stands for “address” is the most basic type of syntax used
in DNS records, indicating the actual IP address of the domain. The “AAAA”
record is an IPV6 address record that maps a hostname to a 128-bit Ipv6
address. Regular DNS addresses are mapped for 32-bit IPv4 addresses.
The “CNAME” record stands for “canonical name” and serves to make one
domain an alias of another domain. CNAME is often used to associate new
subdomains with an existing domain's DNS records.
The “MX” record stands for “mail exchange” and is basically a list of mail
exchange servers that are to be used for the domain.
The “PTR” record stands for “pointer record” and maps an Ipv4 address to the
CNAME on the host.
The “NS” record stands for “name server” and indicates which Name Server is
authoritative for the domain.
An “SOA” record stands for “State of Authority” and is easily one of the most
essential DSN records because it stores important information like when the
domain was last updated and much more.
An “SRV” record stands for “service” and is used to define a TCP service on
which the domain operates.
A “TXT” record lets the administrator insert any text they'd like into the DNS
record, and it is often used for denoting facts about the domain.
http://www.pcnames.com/articles/what-are-dns-records
 Describe the characteristics of WebGoat:
a. It uses BLACK BOX testing methods
b. It is available from OWASP
c. It can install on Windows, Linux and Mac O/S
d. It provides 30 demonstration lessons
e. It can be used with either Java or .NET

6.  Explain what is meant by multi-honed devices: All firewalls are multi-honed
devices (meaning more than one network connection).
Network layer or packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of
the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they
match the established rule set. The firewall administrator may define the rules; or
default rules may apply. The term "packet filter" originated in the context of BSD
operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and stateless.
Stateful firewalls maintain context about active sessions, and use that "state
information" to speed packet processing. Any existing network connection can be
described by several properties, including source and destination IP address, UDP or
TCP ports, and the current stage of the connection's lifetime (including session
initiation, handshaking, data transfer, or completion connection). If a packet does not
match an existing connection, it will be evaluated according to the ruleset for new
connections. If a packet matches an existing connection based on comparison with the
firewall's state table, it will be allowed to pass without further processing.
Application-layer
Main article: Application layerfirewall
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all
browser traffic, or all telnet or FTP traffic), and may intercept all packets traveling to
or from an application. They block other packets (usually dropping them without
acknowledgment to the sender).
On inspecting all packets for improper content, firewalls can restrict or prevent outright
the spread of networked computer worms and Trojans. The additional inspection
criteria can add extra latency to the forwarding of packets to their destination.
https://en.wikipedia.org/wiki/Firewall_(computing)
 Describe a Ping of Death attack: Uses fragmented ICMP messages to disable
the target. When the target attempts to re-create the fragmented ICMP
messages, the message exceeds its capacity. This re-assembly causes the O/S
to crash.

7.  What are the top three control categories?
 Preventive - These are controls that prevent the loss or harm from occurring. For
example, a control that enforces segregation of responsibilities (one person can
submit a payment request, but a second person must authorize it), minimizes the
chance an employee can issue fraudulent payments.
 Detective - These controls monitor activity to identify instances where practices or
procedures were not followed. For example, a business might reconcile the general
ledger or review payment request audit logs to identify fraudulent payments.
 Corrective - Corrective controls restore the system or process back to the state
prior to a harmful event. For example, a business may implement a full restoration
of a system from backup tapes after evidence is found that someone has improperly
altered the payment data.
http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html
 Does RC4 use a block cipher? NO. RC4 is a symmetric encryption algorithm
that uses a stream cipher. NOTE: stream ciphers are faster than block ciphers.
 What is ESP? Encapsulating Security Protocol used in IP Sec. ESP provides for
confidentiality in IP Sec. NOTE: Unlike Authentication Header (AH), ESP in
transport mode does not provide integrity and authentication for the entire IP
packet.
AH provides authentication and integrity.
The IPSec Authentication Header (AH) protocol allows the recipient of a datagram to
verify its authenticity. It is implemented as a header added to an IP datagram that
contains an integrity check value computed based on the values of the fields in the
datagram. This value can be used by the recipient to ensure that the data has not
been changed in transit. The Authentication Header does not encrypt data and thus
does not ensure the privacy of transmissions.
http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH-3.htm
 What is NIKTO? Nikto is an open-source Web server scanning tool. It is NOT a
SQL injection test tool. SQL injection tools include: SQL Injector, SQL Ninja,
Havij, Pangolin and Absinthe.

8. Testing for SQL Injection
 OWASP SQLiX
 Sqlninja: a SQL Server Injection & Takeover Tool –
http://sqlninja.sourceforge.net
 Bernardo Damele A. G.: sqlmap, automatic SQL injection tool –
http://sqlmap.org/
 Absinthe 1.1 (formerly SQLSqueal) – http://sourceforge.net/projects/absinthe/
 SQLInjector – Uses inference techniques to extract data and determine the
backend database server. http://www.databasesecurity.com/sql-injector.htm
 Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections –
http://code.google.com/p/bsqlbf-v2/
 Pangolin: An automatic SQL injection penetration testing tool –
http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
 Antonio Parata: Dump Files by sql inference on Mysql – SqlDumper –
http://www.ruizata.com/
 Multiple DBMS Sql Injection tool – SQL Power Injector –
http://www.sqlpowerinjector.com/
 MySql Blind Injection Bruteforcing, Reversing.org – sqlbftools –
http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html
 What is CCMP? CCMP is used by WPA2 to provide integrity. It was invented to
correct weaknesses with the TKIP (Temporal Key Integrity Protocol). CCMP
implements the IEEE 802.11i standard. NOTE: WPA2 uses AES for encryption.
NOTE: WPA uses TKIP and RC4 for encryption. RC4 provides 128-bit
encryption.
Counter Mode Cipher Block Chaining Message Authentication Code Protocol,
Counter Mode CBC-MAC Protocol or simply CCMP (CCM mode Protocol) is an
encryption protocol designed for Wireless LAN products that implement the
standards of the IEEE 802.11i amendment to the original IEEE 802.11
standard.
https://en.wikipedia.org/wiki/CCMP

9. WPA2, aka 802.11i
Fully conforms with 802.11i as it implements all mandatory features.
Guarantees interoperability certification.
Effectively WPA2 is Wi-Fi Alliance's brand name for 802.11i.
Note: In some cases other optional features of 802.11i may be required, but
interoperability may not be guaranteed.
Support for AES encryption and AES-based CCMP message integrity is mandatory (is
optional in WPA).
As well as mandatory AES, WPA2 also adds PMK (Pair-wise Master Key) and Pre-
authentication to help fast roaming.
 What does the –p- parameter in NMAP accomplish? The –p- parameter scans
ports 1 thru 65535. Without the trailing dash specific ports can be specified; e.g.
nmap –p20-100 for ports 20 to 100.
 What is PCAP? It is the capture library used by Nmap, TCPDUMP, Wireshark,
LophtCrack, etc.
 What can scan remote devices to validate security? Microsoft Baseline Security
Analyzer (MBSA) can use the Windows Update Agent to remotely scan the
security state of computers on a network.
 Where does OSSTMM place PCI DSS? The contractual compliance category.
What are the other OSSTMM categories? LEGISLATIVE, CONTRACTUAL,
STANDARDS-BASED.
 NOTE: OSSTMM is maintained by ISECOM.
 What is the command NMAP –A equivalent to? Nmap –sV –sC –O –traceroute
 What is the function of PAT? PAT translates multiple private IP addresses to a
single public IP address. Port Address Translation.

10. Port Address Translation (PAT), is an extension to network address translation
(NAT) that permits multiple devices on a local area network (LAN) to be
mapped to a single public IP address. The goal of PAT is to conserve IP
addresses.
http://searchnetworking.techtarget.com/definition/Port-Address-Translation-
PAT
 What is the hash value created by MD%? 128 bits. SHA-1 can create a 160 bit
value.