.

Exam version 4 help

<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Wed Aug 30, 2006 12:07 pm

Exam version 4 help

Hi

I came across this site when searching for hping info. This site is great. This is the only discussion site I found relating to CEH. So thanks for the owner

I am thinking of sitting for the CEH next week  (if my office time permits). I have a genereic question from guys who have done the exam 4.

I have a general idea of what the ver 3 of exams looks like. But how about the version 4.? Is is similar to ver 3?

What are the most common tools the exam focussed in relation to parameters etc.

thanks
Skel
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Aug 30, 2006 2:00 pm

Re: Exam version 4 help

First of all, thanks for the compliment and welcome to EH-Net from the 'owner.' As always we look forward to your continued participation.

In your post you say that you're thinking of sitting for the exam next week. Have you put in the time to study and do you have experience in the field? Although not a hard exam, it is easy for those who are prepared.

I can't give away too much, as I have already taken the exam and don't want to be unethical. But be sure to know switches for Nmap and Netcat. Most of the other tools, you just need to know what it does, but not the switches.

There are also questions with Snort log dumps. You don't need to know Snort in depth, but it would help to know what the attack looks like.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Wed Aug 30, 2006 7:13 pm

Re: Exam version 4 help

Welcome. I did the exam ver. 2.3, and there were questions on buffer overflows, DDoS, and many other goodies. I had a question on URL De-obfuscation that was not covered in my class. Make sure you know how to de-obfuscate.
Some programming knowledge would be nice, as well.

Hope you understand that once we pass an exam we could not take it again, even if we WANTED to throw the money away. Same as with Microsoft exams, once you PASS an exam, you are NOT ALLOWED to take it again.  :o  Then again, why would you want to?

Like Don asked, Are you SURE you're ready for it?  ??? ???
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

LSOChris

Post Wed Aug 30, 2006 11:52 pm

Re: Exam version 4 help

welcome!
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Thu Aug 31, 2006 12:24 am

Re: Exam version 4 help

Hi guys

Thanks to Kev and Oyle for the replies and tips.

I went through my training last year and was planning to do the exams ever since. I have done through the Books and and played around with the Auditor CD and PHLAK CDs. And I am going through them again now.

Well our training was nothing like what Fenris wrote. This was a more relaxed (loose ?  :( )  training and there was nothing called Lab classes. We didn’t even have Linux box. We got the internet connection to the training room only on the second or third day.  But the guy who did the training really knew his stuff. So nothing much to hack we hacked in to the training institutes file server using a buffer overflow attack. I must say the institutes guys were surprised  :o. But it was harmless fun and the institute got a free penetration testing job for free. So u gus are lucky to go through such a thorough exam preparation boot camp.

Anyway I have decided to do the exam next week ( actually was planning to do it last weekend but was stuck with office work). And also my exam voucher will be expiring soon  ;D


I learned some thing new today . URL De-obfuscation !! first time I heard that word. But I now I realise this refers to decoding encoded URLs. Please correct me if I am wrong.

I thought only hex encoded URLs were tested at the exams. Even that, how do you decode a hex URL without a tool ? This I don’t know. What things would I be expected to know in URL De-obfuscation for the test ?


If I manage to do the exam and pass (So far I have never failed a exam but always a first time), I will definitely put comments at the forum


Thanks
Skel
<<

jimbob

Post Thu Aug 31, 2006 7:10 am

Re: Exam version 4 help

With character de-obfuscation, try writing a script in perl to do it for you. It's a good way of learning how it works. Try writing one to do URLs (%00), backslash escaped chars (\x00) and unicode (&#00).

There are several write ups on the web of real attempts to remove obfuscation. SANS have a nice list of some URL obfuscation techniques.

http://isc.sans.org/presentations/urlobfuscation.txt

Regards,
Jim
<<

oyle

User avatar

Sr. Member
Sr. Member

Posts: 264

Joined: Mon Jan 02, 2006 11:19 am

Location: Cleveland Ohio

Post Thu Aug 31, 2006 8:50 am

Re: Exam version 4 help

URL de-obfuscation is really quite easy, and all you need for it is the Windows Calculator, which I WAS allowed to use during the exam. There is a simple formula, well worth memorizing. This formula should be all you need to know. But in the exam I took, (passed it in Dec. 04) I only had ONE question on URL de-obfuscation.

With URL de-obfuscation, you can represent URLs as a DWORD value, or as HEX, DECIMAL, OCTAL, or ANY COMBINATION OF THOSE. You can insert text into certain areas of a URL that the browser will ignore. It's really pretty cool. There is a 10 page website that does an excellent job of explaining it; it's what I used. It's all explained here:

Click HERE.
Have fun!

Also good to memorize:

%20 is the Unicode equivalent of Space (pressing the space bar)
%40 is the Unicode equivalent of @ (the AT sign)

Note: the web page hyperlinked above is only one page of a larger site. Remove the trailing "obscure.htm", and there's lots more good info, there, too.

Good luck on the exam!! You'll have a long wait for your certificate, be warned.
Last edited by oyle on Thu Aug 31, 2006 9:37 am, edited 1 time in total.
MCP, MCP+I, MCSA, MCSE(NT4/W2K), CCNA, CCA, NWCCC, VH-PIRTS, CEH
--------------------
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".

From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x
                  -Tapeworm
<<

jimbob

Post Thu Aug 31, 2006 9:08 am

Re: Exam version 4 help

I just dug out the emails I got when playing this game. The best clue I can give without giving the game away is to suggest you install the LiveHTTPHeaders plugin for Firefox. It will make your life a little easier!

Jim
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Thu Aug 31, 2006 10:14 am

Re: Exam version 4 help

thanks for the info. The URLs really helped me. I think I have pretty good idea of decoding URLs now.

But I think I will skip the perl script as I am not much of a linux guy :-[ .

Does anybody know a good site that has a some tutorial on analysing snort logs for attacks ?

I found this prtty good article at http://www.securityfocus.com/infocus/1676

Does anybody know any other articles on this subject ?

Thanks and regards
Skel
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Thu Aug 31, 2006 3:29 pm

Re: Exam version 4 help

I just passed this exam 3 hour ago and I can confirm that Don and Oyle are spot on. You may want to do some revision on SQL injection and on buffer overflows; I found there were quite a few questions about them.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

Kev

Post Thu Aug 31, 2006 4:16 pm

Re: Exam version 4 help

  If  I remember correctly, the CEH examine datebase consists of something like 500 questions. Each time the test is given, 125 questions are pulled out of this database at random.  This makes everyone's  experience a little different.

    My experience with the test consisted of at least 5 questions on reading snort logs. Several questions asking to identify Ethereal logs and some questions concerning Nmap and Netcat switches.  Also, many questions that had nothing to do with tools.  Have you heard  terms like “piggy backing, black box testing, hacktivism,etc..”?

    Good luck with the test and let us know how it goes.
Last edited by Kev on Thu Aug 31, 2006 6:00 pm, edited 1 time in total.
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Thu Aug 31, 2006 10:19 pm

Re: Exam version 4 help

Negrita wrote:I just passed this exam 3 hour ago and I can confirm that Don and Oyle are spot on. You may want to do some revision on SQL injection and on buffer overflows; I found there were quite a few questions about them.


Hi Negrita

[glow=red,2,300]Congradulations !!!!![/glow]

I shall take your advice
Skel
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Thu Aug 31, 2006 10:28 pm

Re: Exam version 4 help

Kev wrote:
    My experience with the test consisted of at least 5 questions on reading snort logs. Several questions asking to identify Ethereal logs and some questions concerning Nmap and Netcat switches.  Also, many questions that had nothing to do with tools.  Have you heard  terms like “piggy backing, black box testing, hacktivism,etc..”?

    Good luck with the test and let us know how it goes.



Hi Kev

Ethereal logs are something I have not looked at. I will do it today. Thanks for the tip. I think I can get through the non tool questions.

Regards
Skel
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Fri Sep 01, 2006 3:14 am

Re: Exam version 4 help

skel wrote:Hi Negrita

[glow=red,2,300]Congradulations !!!!![/glow]

I shall take your advice


Thank you skel.

You may find in the exam that some questions combine topics, for example you might be shown a snort log of a buffer overflow or some other exploit, or even a nmap scan, and be asked questions about that.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.

Return to CEH - Certified Ethical Hacker

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software