Principles of Information Security: CEH (Certified Ethical Hacker) Focus Areas

CEH (Certified Ethical Hacker) Focus Areas

CEH (Certified Ethical Hacker) Focus Areas – Exam-Ready Study Guide

What This Is

The Certified Ethical Hacker (CEH) certification validates your ability to think like a malicious attacker to identify and fix security vulnerabilities before criminals exploit them. Ethical hacking (also called penetration testing or red teaming) is critical because real-world attacks—like the 2021 Colonial Pipeline ransomware attack (which started with a leaked VPN password) or the 2020 Twitter Bitcoin scam (via social engineering)—show how even basic security gaps can lead to catastrophic breaches. CEH covers reconnaissance, scanning, exploitation, post-exploitation, and reporting, following frameworks like MITRE ATT&CK and OWASP Top 10.

Key Terms & Concepts

• Ethical Hacking (Penetration Testing): Authorized simulated attacks on systems to find vulnerabilities before malicious hackers do. Governed by NIST SP 800-115 and OSSTMM (Open Source Security Testing Methodology Manual).

• Footprinting & Reconnaissance: Gathering information about a target (e.g., domain names, IP ranges, employee emails) using tools like Maltego, theHarvester, or Shodan. Passive (no direct contact) vs. active (direct interaction).

• Scanning (Network & Vulnerability): Probing systems for open ports, services, and weaknesses. Tools: Nmap (network scanning), Nessus (vulnerability scanning), OpenVAS.

• Enumeration: Extracting detailed info from systems (e.g., usernames, shares, DNS records). Example: LDAP enumeration to list Active Directory users.

• Exploitation: Taking advantage of vulnerabilities to gain unauthorized access. Tools: Metasploit (exploit framework), Burp Suite (web app attacks), SQLmap (SQL injection).

• Post-Exploitation: Maintaining access, escalating privileges, and covering tracks. Techniques: Mimikatz (credential dumping), PowerShell Empire (lateral movement).

• Social Engineering: Manipulating humans to bypass security (e.g., phishing, pretexting). Tools: SET (Social Engineering Toolkit), GoPhish.

• Web Application Hacking: Exploiting flaws in web apps (e.g., SQLi, XSS, CSRF). Follows OWASP Top 10 (e.g., A03:2021 – Injection).

• Wireless Hacking: Attacking Wi-Fi networks (e.g., WPA2 handshake capture, Evil Twin attacks). Tools: Aircrack-ng, Wireshark, Kismet.

• Malware Analysis: Studying malicious software (e.g., viruses, worms, ransomware). Tools: Cuckoo Sandbox, IDA Pro, Ghidra.

• Evading IDS/IPS & Firewalls: Bypassing security controls (e.g., fragmentation attacks, encryption, obfuscation). Tools: Nmap stealth scans (-sS), Metasploit encoders.

• Reporting & Remediation: Documenting findings and recommending fixes. Follows NIST SP 800-53 (security controls) and ISO 27001 (risk management).

Step-by-Step / Process Flow

1. Pre-Engagement (Scoping & Rules of Engagement)

• Define scope (targets, IP ranges, testing windows).
• Get written permission (avoid legal issues).
• Agree on rules of engagement (e.g., no DoS attacks, no production data access).

2. Reconnaissance (Passive & Active)

• Passive: OSINT (Open-Source Intelligence) – Google dorks, WHOIS, social media.
• Active: DNS enumeration, ping sweeps, port scanning (Nmap).

3. Scanning & Enumeration

• Network scanning: Identify live hosts, open ports (Nmap: nmap -sV -O <target>).
• Vulnerability scanning: Nessus/OpenVAS to find CVEs (e.g., CVE-2021-44228 – Log4j).
• Enumeration: Extract usernames, shares, services (e.g., enum4linux -a <target>).

4. Exploitation

• Manual exploitation: Use Metasploit (msfconsole) or custom scripts.
• Web app attacks: Burp Suite for SQLi, XSS, or CSRF.
• Privilege escalation: Check for misconfigurations (e.g., SUID binaries, unpatched kernels).

5. Post-Exploitation

• Maintain access: Install backdoors (e.g., Netcat listeners, cron jobs).
• Lateral movement: Pass-the-hash, Kerberoasting (Mimikatz).
• Cover tracks: Clear logs, delete temp files.

6. Reporting & Remediation

• Document vulnerabilities, steps to reproduce, risk ratings (CVSS).
• Recommend patches, configuration changes, or compensating controls.
• Follow up with retesting to verify fixes.

Common Mistakes

Certification Exam Tips

1. CEH vs. CISSP/Security+ Differences:
2. CEH is hands-on (tools, commands, exploits).
3. CISSP is managerial (risk management, governance).

4. Security+ is foundational (basic concepts, no deep exploitation).

5. Tricky Question Patterns:

6. "Which tool is best for X?"-Know Nmap (scanning), Metasploit (exploitation), Wireshark (packet analysis).
7. "What is the first step in ethical hacking?"-Reconnaissance (footprinting).

8. "Which attack exploits a misconfigured SUID binary?"-Privilege escalation (e.g., find / -perm -4000 2>/dev/null).

9. Management vs. Technical Traps:

10. CEH questions will ask for specific commands (e.g., nmap -sS -p 80,443 <target>).

11. CISSP questions will ask for policies (e.g., "Which NIST framework covers penetration testing?"-NIST SP 800-115).

12. Memorize Key Ports & Protocols:

13. 21 (FTP), 22 (SSH), 80 (HTTP), 443 (HTTPS), 3389 (RDP).
14. UDP vs. TCP: UDP is faster (no handshake), used in DNS (53), DHCP (67/68).

Quick Check Questions

1. During a penetration test, you discover an open port 21 (FTP) with anonymous login enabled. Which of the following is the BEST next step?

• A) Immediately report it as a critical vulnerability.
• B) Attempt to log in anonymously and enumerate files.
• C) Run a vulnerability scan to check for CVEs.
• D) Escalate to the client’s IT team for immediate patching.

Correct Answer: B Explanation: Enumeration (listing files) helps determine the impact before reporting. Blindly reporting without verification may lead to false positives.

2. A security analyst is conducting a wireless assessment and captures a WPA2 handshake. Which tool is BEST suited for cracking the password offline?

• A) Wireshark
• B) Aircrack-ng
• C) Kismet
• D) John the Ripper

Correct Answer: B Explanation: Aircrack-ng is designed for WPA/WPA2 handshake cracking using wordlists. Wireshark captures traffic but doesn’t crack passwords.

3. Which of the following is an example of a PASSIVE reconnaissance technique?

• A) Running an Nmap scan on a target network.
• B) Using Google dorks to find exposed documents.
• C) Sending a phishing email to an employee.
• D) Exploiting a SQL injection vulnerability.

Correct Answer: B Explanation: Passive recon gathers info without direct interaction (e.g., Google dorks, WHOIS). Active recon (Nmap, phishing) involves direct contact.

Last-Minute Cram Sheet

1. CEH Methodology: Recon-Scanning-Enumeration-Exploitation-Post-Exploitation-Reporting.
2. Nmap Flags:
3. -sS (Stealth scan), -sV (Service version), -O (OS detection), -p- (All ports).
4. Metasploit Commands:
5. msfconsole (start), search <exploit> (find), use <exploit>, set RHOSTS <target>, exploit.
6. OWASP Top 10 (2021):
7. A01: Broken Access Control, A03: Injection, A07: Identification & Auth Failures.
8. Common Ports:
9. 21 (FTP), 22 (SSH), 23 (Telnet), 80 (HTTP), 443 (HTTPS), 3389 (RDP).
10. Wireless Attacks:
11. WPA2 Handshake Capture (Aircrack-ng), Evil Twin (Rogue AP), Deauth Attack (aireplay-ng).
12. Privilege Escalation:
13. Linux: SUID binaries (find / -perm -4000), kernel exploits.
14. Windows: Token impersonation (Mimikatz), unquoted service paths.
15. Social Engineering Tools:
16. SET (Social Engineering Toolkit), GoPhish, Maltego.
17. Exam Trap: "Which tool is used for X?"-Nmap (scanning), Metasploit (exploitation), Wireshark (analysis).
18. CVSS Formula: Base Score = Impact + Exploitability (0–10 scale, 10 = critical).

Final Tip: For CEH, practice hands-on labs (TryHackMe, Hack The Box) and memorize tool commands—the exam tests real-world application, not just theory! ?