Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here; Chapter 14, “Final Preparation”; and the exam simulation questions on the CD-ROM.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 4-6 lists a reference of these key topics and the page numbers on which each is found.
Table 4-6 Key Topics for Chapter 4
Key Topic Element
Explains how enumeration works
User ID and corresponding RID code
Microsoft key ports and protocols
Explains how system hacking works
Explains how ADS works
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
- Active Directory, brute-force attack, dictionary attack, hybrid attack, InterProcess Communication, kernel, kernel mode, keystroke loggers, local security authority subsystem, NetBIOS, RainbowCrack techniques, relative identifiers, Security Accounts Manager, security identifiers, Server Message Block, Simple Network Management Protocol, and user mode
Command Reference to Check Your Memory
The CEH exam focuses on practical, hands-on skills that are used by a security professional. Therefore, you should be able to identify common net use commands.
Table 4-7 net use Commands
net use \\ip address\ipc$ "" /u:""
Map a drive
net use * \\ip address\share * /u:username
View open shares
net view \\ipaddress
4.1 NTFS File Streaming
By using NTFS file streaming, you can effectively hide files in an NTFS environment.
Estimated Time: 15 minutes.
- Download Sfind and LNS—two good NTFS file streaming programs. Sfind is at www.antiserver.it/Win%20NT/Security/download/ForensicToolkit14.exe, and LNS is at www.ntsecurity.nu/toolbox/lns/.
- Create a temporary folder on the root of your NTFS drive. Name the folder test, or give it another suitable name.
- Copy notepad.exe into the test folder and rename it hack.exe. You will use this file to simulate it as the hacking tool.
- Next, create a text file called readme.txt. Place some text inside the readme file, something like hello world will work.
- Open a command prompt and change directories to place yourself in the test folder. By performing a directory listing, you should see two files: hack.exe and readme.txt. Record the total free space shown after the directory listing: _______
From the command line, issue the following command:
Type hack.exe > readme.txt:hack.exe
- Now run a directory listing again and record the free space results: __________________
- Has anything changed? You should have noticed that free space has been reduced. That is because you streamed hack.exe behind readme.txt.
Execute the following from the command line:
Start c:\ test\ readme.txt:hack.exe
- Did you notice what happened? Your hacked file, notepad.exe, should have popped open on the screen. The file is completely hidden, as it is streamed behind readme.txt.
- Finally run both Sfind and LNS from the command line. Both programs should detect the streamed file hack.exe. File streaming is a powerful way to hide information and make it hard to detect.
How can you determine whether an LM hash you extracted contains a password that is fewer than eight characters long?
- There is no way to tell because a hash cannot be reversed.
- The rightmost portion of the hash is always the same.
- The hash always starts with AB923D.
- The leftmost portion of the hash is always the same.
Which of the following is a well-known password-cracking program?
- Jack the Ripper
What did the following commands determine?
C:\ user2sid \ \ truck guest S-1-5-21-343818398-789336058-1343024091-501 C:\ sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is Truck
- These commands demonstrate that the Joe account has a SID of 500.
- These commands demonstrate that the guest account has not been disabled.
- These commands demonstrate that the guest account has been disabled.
- These commands demonstrate that the true administrator is Joe.
What is the RID of the true administrator?
What is the best alternative if you discover that a rootkit has been installed on one of your computers?
- Copy the system files from a known good system.
- Perform a trap and trace.
- Delete the files and try to determine the source.
- Rebuild from known good media.
To increase password security, Microsoft added a second layer of encryption. What is this second later called?
SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers?
- It’s enabled by all network devices by default.
- It’s based on TCP.
- It sends community strings in cleartext.
- It is susceptible to sniffing if the community string is known.
Which of the following is the best way to prevent the use of LM authentication of your legacy Windows 2003 servers?
- Use the LMShut tool from Microsoft.
- Use the NoLMHash Policy by Using Group Policy.
- Disable Lsass in Windows 2003.
- Use a password that is at least 10 characters long.
Which of the following tools can be used to clear the Windows logs?
- Cain and Abel
What is one of the disadvantages of using John the Ripper?
- It cannot crack NTLM passwords.
- It separates the passwords into two separate halves.
- It cannot differentiate between uppercase and lowercase passwords.
- It cannot perform brute-force cracks.
You found the following command on a compromised system:
Type nc.exe > readme.txt:nc.exe
What is its purpose?
- This command is used to start a Netcat listener on the victim’s system.
- This command is used to stream Netcat behind readme.txt.
- This command is used to open a command shell on the victim with Netcat.
- This command is used to unstream Netcat.exe.
Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance?
- Rainbow tables
- Dictionary cracks
- Hybrid cracks
- Brute-force crack
Why would an attacker scan for port 445?
- To attempt to DoS the NetBIOS SMB service on the victim system
- To scan for file and print sharing on the victim system
- To scan for SMB services and verify that the system is Windows 2000 or greater
- To scan for NetBIOS services and verify that the system is truly a Windows NT server
You have downloaded a tool called SYSCracker, and you plan to use it to break SYSKEY encryption. The first thing the tool prompts you for is to set the level of SYSKEY encryption. How many bits are used for SYSKEY encryption?
- 40 bits
- 64 bits
- 128 bits
- 256 bits
You are trying to establish a null session to a target system. Which is the correct syntax?
- net use \\ IP_address\ IPC$ "" /u:""
- net use //IP_address/IPC$ "" \ u:""
- net use \\ IP_address\ IPC$ * /u:""
- net use \\ IP_address\ IPC$ * \ u:""
Suggested Reading and Resources
- www.bindview.com/Services//RAZOR/Utilities/Windows/enum_readme.cfm: Enum website
- www.systemtools.com/cgi-bin/download.pl?DumpAcl: DumpSec home page
- http://evgenii.rudnyi.ru/programming.html#overview: SID2USER enumeration tools
- www.securityfocus.com/infocus/1352: Enumerating Windows systems
- www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbd_trb_gtvp.asp: NBTStat overview and uses
- www.governmentsecurity.org/articles/ExploitingTheIPCShare.php: Exploiting the IPC$ share
- www.netbus.org/keystroke-logger.html: Keystroke loggers
- www.theregister.co.uk/2003/03/07/windows_root_kits_a_stealthy: Windows rootkits
- www.hnc3k.com/hackingtutorials.htm: Hacking Windows
- www.antionline.com/showthread.php?threadid=268572: Privilege/escalation tools