Hi guys

This note is to thank u for helping in my CEH. I got through the exam about 2 hrs ago with 91/100

I have one advise to all who want to do the CEH. Grab a Test King or similar document. 95% of the questions are there. But dont rely on the answers given by them. Lot of mistakes there. But study each question carefully and find all background information from the web.

If it is a tool, download it run it and experience it. Study all the Snort Logs , NMAP outputs using the questions as the guide.

So by the time u are done though the question list you have gained more than enogh knowladge to pass.

Best of Luck to those who plan to do the exam in the near future and thanks for the guys who gave me hints on areas to concentrate

Bye

Well done.

Can you tell us what EH-Net content helped you? I'd be interested to hear what sections, threads, articles or members were most helpful.

As for brain dumps, I agree with you. Most of the answers are wrong. But if you use the questions as a study guide and a foundation to plot your studies and lab work, that is a better way to go. On the other hand, this also means that you can pass the exam without them, and sometimes being provided the answers (albeit wrong ones) is too tempting for some. So leaving them alone is probably a better way to go.

Now that you have passed the exam, now what? I'm sure you realize this is just the beginning!

Congrats and we look forward to your participation,
Don

Thanks everybody

I agree with Don. But considering the extent of the tools covered and the size of the syllabus, you just cant cover everything unless you are full time studying. So a brain dump like test king is a excellent guide. And if you can find out the correct answers to the questions there, u are gurenteed to pass. 

Anyway there were number of questions on packet dumps. So try to understand them. specially Snort dumps. learn to identify IP flags, ehternet and IP source and destination addresses. Also remember the hex codes for ASCII claractors ,numbers and special charactors like '. ( need this to identify sql injections) . Also remember common port numbers like FTP/Telnet/SSH/SSL/TFTP/SNMP/DNS/Netbios/Keberos/IKE authentication (port 500).

If there are any specific questions, I will try to answer from what ever I know.

Well thats it.

Regards

Congratualtions on your CEH.


I did the CCSA and CCSE NG with Application Inteligence courses in September 2004, and I passed the CCSA exam (156-210.4) in February 2005. The latest exam is for CCSA NGX which is exam 156-215.

If you're going to be doing the cert, I recommend getting the official courseware, as it covers the material very well and the exam questions are taken from it word for word. Do you work regularly with Check Point products? Do you have any questions?

Perhaps start a new thread as this isn't really CEH related.

 Hey skel, you mentioned that the Test King examine prep was filled with errors. Would you say the errors were 10% , 20% or more ?  There are several examine preps for the CEH that are available and it might be good if we had reviews of them for CEH candidates.   I know Preplogic and Boson offer CEH examine preps, but it seems I have only heard negatives about them so far.

Also Look at this question

Snort has been used to capture packets on the network. On studying the packets, the penetration tester
finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?
(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP
connection concepts and the ability to read packet signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400
.
.
.
05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose the most appropriate statement)
A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid.
D. There packets were created by a tool; they were not created by a standard IP stack.

Test king says answer is B. But I think the answer should be D because a valid IP packet cannot have a all FRP flags set. So this has to be a tool.

Maybe somebody can clarify this answer.

Hi

On the packet capture.

1. This attack is obviously a port scan using malformed TCP packets (scaning ports from 1 to 1024)
2. Also notice the scans originate form port 31337.
3. The packets are TCP

The BO is known to listen on port 31337. But I doubt that it originates sessions from the listning port. If the destination port was 31337 then the communication is probably BO. So the source port being 31337 could mean thst it is a random port but it just happened to be 31337 in this case.

I can also remember reading somewhere that BO uses UDP  (may be I am wrong here).

In addition does BO have plugins to do port scanning? This I dont know. I have not seen a plugin to do this.

Therefore I doubt that this is a BO activity.

Regards

I agree with Chris. I got this question in my exam and I chose D because of the Fin, Reset and Push flags being all in the same packet.