Well If you are on a LAN, a sniffer will tell you which Servers are running which applications as long as somebody in that VLAN/switch communicates.

Hi Guys

Thanks for the advice. I did go through both CCNA and SE training. But cant remember anything now  . 

The guy who did the couse was not very satisfactiry either. We did complain to the program director and he changed his style on day 3 onwards. But I still  I wouldnt recommed him to any one.  I did my CCSA and CCSE for CP2000 about 5 yrs ago and that instructor was GOOD!.

So I have my official gudes and the CDs. It will be like starting fresh. 

Question :
Is there any difference in NG/AI and NGX certification ?

Regards

Hi

On the packet capture.

1. This attack is obviously a port scan using malformed TCP packets (scaning ports from 1 to 1024)
2. Also notice the scans originate form port 31337.
3. The packets are TCP

The BO is known to listen on port 31337. But I doubt that it originates sessions from the listning port. If the destination port was 31337 then the communication is probably BO. So the source port being 31337 could mean thst it is a random port but it just happened to be 31337 in this case.

I can also remember reading somewhere that BO uses UDP  (may be I am wrong here).

In addition does BO have plugins to do port scanning? This I dont know. I have not seen a plugin to do this.

Therefore I doubt that this is a BO activity.

Regards

Also Look at this question

Snort has been used to capture packets on the network. On studying the packets, the penetration tester
finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?
(Note: The student is being tested on concept learnt during passive OS fingerprinting, basic TCP/IP
connection concepts and the ability to read packet signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400
.
.
.
05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose the most appropriate statement)
A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
B. This is back orifice activity as the scan comes from port 31337.
C. The attacker wants to avoid creating a sub-carrier connection that is not normally valid.
D. There packets were created by a tool; they were not created by a standard IP stack.

Test king says answer is B. But I think the answer should be D because a valid IP packet cannot have a all FRP flags set. So this has to be a tool.

Maybe somebody can clarify this answer.

Hi Kev

I would think the errors would be around 10%. But which 10% is the big  question. Some CEH  questions are very ambigous. So even if u search the whole internet u cant get a  clear solution.

For Ex look at the following q

An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to
match too many signatures hence it cannot reliably be identified:

21 ftp
23 telnet
80 http
443 https


What does this suggest ?

A. This is a Windows Domain Controller
B. The host is not firewalled
C. The host is not a Linux or Solaris system
D. The host is not properly patched

I realy dont know what the answer to this. And I got this in the exam too.

So best is to use the test king as guide and dig for information. So end of the day u will not only pass the exam but have good knowlade on hacking too.

I havent seen preplogic or Bonson Exams, But I read in one Checkpoint forum that one guy got only about 5 questions in the exams from the Bonson Practice test. May be a member who has done Bonson can comment on this.

regards

Hi Negrita and friends

Hope this is the right group to post it.

I went through the Checkpoint Training last year (Dec I think). I got my exam vouchers extended till mid next year. But hope to do it by end this year.

We do have Checkoint NG running but havent had a chance to do much with it.  I am planning to put up a test enviorenment if possible.

But for Now I am going to take a break for week or so ( Well that means will do only office work !    ) be4 thinking about CP.

I sure can use some advise when I start stying.

Regards

Hi Negrita

Will post my reply to the Certifications discussion group

regards

Well the chapter form the CEH: Exam Prep 2 - Technical Foundations of Hacking  http://www.ethicalhacker.net/content/view/50/2/ was quite useful. Also the thread I started about 2 weeks ago. you, Oyle, and jimbob gave some hints on what to expect on the exams.



Next in line is the two Checkpoint NG certifications. I did CCSA and CCSE for CP2000 about 5 years ago. Need to do it again for the NG.

Anybody who has done it here ??

Regards

Thanks everybody

I agree with Don. But considering the extent of the tools covered and the size of the syllabus, you just cant cover everything unless you are full time studying. So a brain dump like test king is a excellent guide. And if you can find out the correct answers to the questions there, u are gurenteed to pass. 

Anyway there were number of questions on packet dumps. So try to understand them. specially Snort dumps. learn to identify IP flags, ehternet and IP source and destination addresses. Also remember the hex codes for ASCII claractors ,numbers and special charactors like '. ( need this to identify sql injections) . Also remember common port numbers like FTP/Telnet/SSH/SSL/TFTP/SNMP/DNS/Netbios/Keberos/IKE authentication (port 500).

If there are any specific questions, I will try to answer from what ever I know.

Well thats it.

Regards

Hi guys

This note is to thank u for helping in my CEH. I got through the exam about 2 hrs ago with 91/100

I have one advise to all who want to do the CEH. Grab a Test King or similar document. 95% of the questions are there. But dont rely on the answers given by them. Lot of mistakes there. But study each question carefully and find all background information from the web.

If it is a tool, download it run it and experience it. Study all the Snort Logs , NMAP outputs using the questions as the guide.

So by the time u are done though the question list you have gained more than enogh knowladge to pass.

Best of Luck to those who plan to do the exam in the near future and thanks for the guys who gave me hints on areas to concentrate

Bye

Hi Kev

Ethereal logs are something I have not looked at. I will do it today. Thanks for the tip. I think I can get through the non tool questions.

Regards

Hi Negrita

Congradulations !!!!!

I shall take your advice



 

thanks for the info. The URLs really helped me. I think I have pretty good idea of decoding URLs now.

But I think I will skip the perl script as I am not much of a linux guy .

Does anybody know a good site that has a some tutorial on analysing snort logs for attacks ?

I found this prtty good article at http://www.securityfocus.com/infocus/1676

Does anybody know any other articles on this subject ?

Thanks and regards

Hi guys

Thanks to Kev and Oyle for the replies and tips.

I went through my training last year and was planning to do the exams ever since. I have done through the Books and and played around with the Auditor CD and PHLAK CDs. And I am going through them again now.

Well our training was nothing like what Fenris wrote. This was a more relaxed (loose ?  )  training and there was nothing called Lab classes. We didn’t even have Linux box. We got the internet connection to the training room only on the second or third day.  But the guy who did the training really knew his stuff. So nothing much to hack we hacked in to the training institutes file server using a buffer overflow attack. I must say the institutes guys were surprised  . But it was harmless fun and the institute got a free penetration testing job for free. So u gus are lucky to go through such a thorough exam preparation boot camp.

Anyway I have decided to do the exam next week ( actually was planning to do it last weekend but was stuck with office work). And also my exam voucher will be expiring soon 


I learned some thing new today . URL De-obfuscation !! first time I heard that word. But I now I realise this refers to decoding encoded URLs. Please correct me if I am wrong.

I thought only hex encoded URLs were tested at the exams. Even that, how do you decode a hex URL without a tool ? This I don’t know. What things would I be expected to know in URL De-obfuscation for the test ?


If I manage to do the exam and pass (So far I have never failed a exam but always a first time), I will definitely put comments at the forum


Thanks

Hi

I came across this site when searching for hping info. This site is great. This is the only discussion site I found relating to CEH. So thanks for the owner

I am thinking of sitting for the CEH next week  (if my office time permits). I have a genereic question from guys who have done the exam 4.

I have a general idea of what the ver 3 of exams looks like. But how about the version 4.? Is is similar to ver 3?

What are the most common tools the exam focussed in relation to parameters etc.

thanks