EH-Net

Hi

I came across this site when searching for hping info. This site is great. This is the only discussion site I found relating to CEH. So thanks for the owner

I am thinking of sitting for the CEH next week  (if my office time permits). I have a genereic question from guys who have done the exam 4.

I have a general idea of what the ver 3 of exams looks like. But how about the version 4.? Is is similar to ver 3?

What are the most common tools the exam focussed in relation to parameters etc.

thanks

First of all, thanks for the compliment and welcome to EH-Net from the 'owner.' As always we look forward to your continued participation.

In your post you say that you're thinking of sitting for the exam next week. Have you put in the time to study and do you have experience in the field? Although not a hard exam, it is easy for those who are prepared.

I can't give away too much, as I have already taken the exam and don't want to be unethical. But be sure to know switches for Nmap and Netcat. Most of the other tools, you just need to know what it does, but not the switches.

There are also questions with Snort log dumps. You don't need to know Snort in depth, but it would help to know what the attack looks like.

Hope this helps,
Don

Welcome. I did the exam ver. 2.3, and there were questions on buffer overflows, DDoS, and many other goodies. I had a question on URL De-obfuscation that was not covered in my class. Make sure you know how to de-obfuscate.
Some programming knowledge would be nice, as well.

Hope you understand that once we pass an exam we could not take it again, even if we WANTED to throw the money away. Same as with Microsoft exams, once you PASS an exam, you are NOT ALLOWED to take it again.  :o   Then again, why would you want to?

Like Don asked, Are you SURE you're ready for it?   ??? ???

welcome!

Hi guys

Thanks to Kev and Oyle for the replies and tips.

I went through my training last year and was planning to do the exams ever since. I have done through the Books and and played around with the Auditor CD and PHLAK CDs. And I am going through them again now.

Well our training was nothing like what Fenris wrote. This was a more relaxed (loose ?  :( )  training and there was nothing called Lab classes. We didn’t even have Linux box. We got the internet connection to the training room only on the second or third day.  But the guy who did the training really knew his stuff. So nothing much to hack we hacked in to the training institutes file server using a buffer overflow attack. I must say the institutes guys were surprised  :o. But it was harmless fun and the institute got a free penetration testing job for free. So u gus are lucky to go through such a thorough exam preparation boot camp.

Anyway I have decided to do the exam next week ( actually was planning to do it last weekend but was stuck with office work). And also my exam voucher will be expiring soon  ;D


I learned some thing new today . URL De-obfuscation !! first time I heard that word. But I now I realise this refers to decoding encoded URLs. Please correct me if I am wrong.

I thought only hex encoded URLs were tested at the exams. Even that, how do you decode a hex URL without a tool ? This I don’t know. What things would I be expected to know in URL De-obfuscation for the test ?


If I manage to do the exam and pass (So far I have never failed a exam but always a first time), I will definitely put comments at the forum


Thanks

With character de-obfuscation, try writing a script in perl to do it for you. It's a good way of learning how it works. Try writing one to do URLs (%00), backslash escaped chars (\x00) and unicode (&#00).

There are several write ups on the web of real attempts to remove obfuscation. SANS have a nice list of some URL obfuscation techniques.

http://isc.sans.org/presentations/urlobfuscation.txt

Regards,
Jim

URL de-obfuscation is really quite easy, and all you need for it is the Windows Calculator, which I WAS allowed to use during the exam. There is a simple formula, well worth memorizing. This formula should be all you need to know. But in the exam I took, (passed it in Dec. 04) I only had ONE question on URL de-obfuscation.

With URL de-obfuscation, you can represent URLs as a DWORD value, or as HEX, DECIMAL, OCTAL, or ANY COMBINATION OF THOSE. You can insert text into certain areas of a URL that the browser will ignore. It's really pretty cool. There is a 10 page website that does an excellent job of explaining it; it's what I used. It's all explained here:

Click HERE. (http://www.pc-help.org/obscure.htm)
Have fun!

Also good to memorize:

%20 is the Unicode equivalent of Space (pressing the space bar)
%40 is the Unicode equivalent of @ (the AT sign)

Note: the web page hyperlinked above is only one page of a larger site. Remove the trailing "obscure.htm", and there's lots more good info, there, too.

Good luck on the exam!! You'll have a long wait for your certificate, be warned.

I just dug out the emails I got when playing this game. The best clue I can give without giving the game away is to suggest you install the LiveHTTPHeaders plugin for Firefox. It will make your life a little easier!

Jim

thanks for the info. The URLs really helped me. I think I have pretty good idea of decoding URLs now.

But I think I will skip the perl script as I am not much of a linux guy :-[ .

Does anybody know a good site that has a some tutorial on analysing snort logs for attacks ?

I found this prtty good article at http://www.securityfocus.com/infocus/1676

Does anybody know any other articles on this subject ?

Thanks and regards

I just passed this exam 3 hour ago and I can confirm that Don and Oyle are spot on. You may want to do some revision on SQL injection and on buffer overflows; I found there were quite a few questions about them.

   If  I remember correctly, the CEH examine datebase consists of something like 500 questions. Each time the test is given, 125 questions are pulled out of this database at random.  This makes everyone's  experience a little different.

     My experience with the test consisted of at least 5 questions on reading snort logs. Several questions asking to identify Ethereal logs and some questions concerning Nmap and Netcat switches.   Also, many questions that had nothing to do with tools.  Have you heard  terms like “piggy backing, black box testing, hacktivism,etc..”?

    Good luck with the test and let us know how it goes.

Hi Negrita

Congradulations !!!!!

I shall take your advice



 

Hi Kev

Ethereal logs are something I have not looked at. I will do it today. Thanks for the tip. I think I can get through the non tool questions.

Regards

Thank you skel.

You may find in the exam that some questions combine topics, for example you might be shown a snort log of a buffer overflow or some other exploit, or even a nmap scan, and be asked questions about that.