CEHv10_Ultimate_Study_Guide

Ultimate Study Guide for the CEH v10

Scanning and Enumeration

Scanning - discovering systems on the network and looking at what ports are open as well as applications that may be running

Connectionless Communication - UDP packets are sent without creating a connection. Examples are TFTP, DNS (lookups only) and DHCP

Connection-Oriented Communication - TCP packets require a connection due to the size of the data being transmitted and to ensure deliverability

TCP Flags

Flag Name Function
SYN Synchronize Set during initial communication. Negotiating of parameters and sequence numbers
ACK Acknowledgment Set as an acknowledgement to the SYN flag. Always set after initial SYN
RST Reset Forces the termination of a connection (in both directions)
FIN Finish Ordered close to communications
PSH Push Forces the delivery of data without concern for buffering
URG Urgent Data inside is being sent out of band. Example is cancelling a message

TCP Handshake

Port Numbers

Subnetting

Scanning Methodology

Identifying Targets

Port Scan Types

Nmap Switches

Switch Description
-sA ACK scan
-sF FIN scan
-sI IDLE scan
-sL DNS scan (list scan)
-sN NULL scan
-sO Protocol scan (tests which IP protocols respond)
-sP Ping scan
-sR RPC scan
-sS SYN scan
-sT TCP connect scan
-sW Window scan
-sX XMAS scan
-A OS detection, version detection, script scanning and traceroute
-PI ICMP ping
-Po No ping
-PS SYN ping
-PT TCP ping
-oN Normal output
-oX XML output
-T0 through -T2 Serial scans. T0 is slowest
-T3 through -T5 Parallel scans. T3 is slowest

Hping

Switch Description
-1 Sets ICMP mode
-2 Sets UDP mode
-8 Sets scan mode. Expects port range without -p flag
-9 Listen mode. Expects signature (e.g. HTTP) and interface (-I eth0)
–flood Sends packets as fast as possible without showing incoming replies
-Q Collects sequence numbers generated by the host
-p Sets port number
-F Sets the FIN flag
-S Sets the SYN flag
-R Sets the RST flag
-P Sets the PSH flag
-A Sets the ACK flag
-U Sets the URG flag
-X Sets the XMAS scan flags

Evasion

Vulnerability Scanning

Enumeration

Windows System Basics

NetBIOS Enumeration

Code Type Meaning
<1B> UNIQUE Domain master browser
<1C> UNIQUE Domain controller
<1D> GROUP Master browser for subnet
<00> UNIQUE Hostname
<00> GROUP Domain name
<03> UNIQUE Service running on system
<20> UNIQUE Server service running

SNMP Enumeration

Other Enumerations

Table Of Contents