Hi

I came across this site when searching for hping info. This site is great. This is the only discussion site I found relating to CEH. So thanks for the owner

I am thinking of sitting for the CEH next week  (if my office time permits). I have a genereic question from guys who have done the exam 4.

I have a general idea of what the ver 3 of exams looks like. But how about the version 4.? Is is similar to ver 3?

What are the most common tools the exam focussed in relation to parameters etc.

thanks

Welcome. I did the exam ver. 2.3, and there were questions on buffer overflows, DDoS, and many other goodies. I had a question on URL De-obfuscation that was not covered in my class. Make sure you know how to de-obfuscate.
Some programming knowledge would be nice, as well.

Hope you understand that once we pass an exam we could not take it again, even if we WANTED to throw the money away. Same as with Microsoft exams, once you PASS an exam, you are NOT ALLOWED to take it again.     Then again, why would you want to?

Like Don asked, Are you SURE you're ready for it?   

Hi guys

Thanks to Kev and Oyle for the replies and tips.

I went through my training last year and was planning to do the exams ever since. I have done through the Books and and played around with the Auditor CD and PHLAK CDs. And I am going through them again now.

Well our training was nothing like what Fenris wrote. This was a more relaxed (loose ?  )  training and there was nothing called Lab classes. We didn’t even have Linux box. We got the internet connection to the training room only on the second or third day.  But the guy who did the training really knew his stuff. So nothing much to hack we hacked in to the training institutes file server using a buffer overflow attack. I must say the institutes guys were surprised  . But it was harmless fun and the institute got a free penetration testing job for free. So u gus are lucky to go through such a thorough exam preparation boot camp.

Anyway I have decided to do the exam next week ( actually was planning to do it last weekend but was stuck with office work). And also my exam voucher will be expiring soon 


I learned some thing new today . URL De-obfuscation !! first time I heard that word. But I now I realise this refers to decoding encoded URLs. Please correct me if I am wrong.

I thought only hex encoded URLs were tested at the exams. Even that, how do you decode a hex URL without a tool ? This I don’t know. What things would I be expected to know in URL De-obfuscation for the test ?


If I manage to do the exam and pass (So far I have never failed a exam but always a first time), I will definitely put comments at the forum


Thanks

URL de-obfuscation is really quite easy, and all you need for it is the Windows Calculator, which I WAS allowed to use during the exam. There is a simple formula, well worth memorizing. This formula should be all you need to know. But in the exam I took, (passed it in Dec. 04) I only had ONE question on URL de-obfuscation.

With URL de-obfuscation, you can represent URLs as a DWORD value, or as HEX, DECIMAL, OCTAL, or ANY COMBINATION OF THOSE. You can insert text into certain areas of a URL that the browser will ignore. It's really pretty cool. There is a 10 page website that does an excellent job of explaining it; it's what I used. It's all explained here:

Click HERE.
Have fun!

Also good to memorize:

%20 is the Unicode equivalent of Space (pressing the space bar)
%40 is the Unicode equivalent of @ (the AT sign)

Note: the web page hyperlinked above is only one page of a larger site. Remove the trailing "obscure.htm", and there's lots more good info, there, too.

Good luck on the exam!! You'll have a long wait for your certificate, be warned.

thanks for the info. The URLs really helped me. I think I have pretty good idea of decoding URLs now.

But I think I will skip the perl script as I am not much of a linux guy .

Does anybody know a good site that has a some tutorial on analysing snort logs for attacks ?

I found this prtty good article at http://www.securityfocus.com/infocus/1676

Does anybody know any other articles on this subject ?

Thanks and regards

   If  I remember correctly, the CEH examine datebase consists of something like 500 questions. Each time the test is given, 125 questions are pulled out of this database at random.  This makes everyone's  experience a little different.

     My experience with the test consisted of at least 5 questions on reading snort logs. Several questions asking to identify Ethereal logs and some questions concerning Nmap and Netcat switches.   Also, many questions that had nothing to do with tools.  Have you heard  terms like “piggy backing, black box testing, hacktivism,etc..”?

    Good luck with the test and let us know how it goes.

Hi Kev

Ethereal logs are something I have not looked at. I will do it today. Thanks for the tip. I think I can get through the non tool questions.

Regards