CEH (Certified Ethical Hacker) Interview Preparation Guide

🎯 Section 1: Ethical Hacking Basics

Q1: What are the three pillars of information security (CIA triad) and what does each represent?

The CIA triad consists of:

Confidentiality: Measures taken to prevent disclosure of information to unauthorized individuals or systems
Integrity: Methods to protect information from unauthorized alteration, ensuring data arrives unchanged
Availability: Ensuring communications systems and data are ready for use when legitimate users need them

Q2: Explain the Security, Functionality, and Ease of Use triangle.

This triangle represents a fundamental security principle: as security increases, functionality and ease of use decrease. Organizations must balance these three elements - making a system more secure typically makes it less functional and harder to use.

Q3: What distinguishes an ethical hacker from a cracker?

Ethical Hacker: Works with explicit written permission and approval from a customer to improve security
Cracker (Malicious Hacker): Uses skills for personal gain or destructive purposes without permission and outside the interest of the system owner

Q4: Describe the three classifications of hackers by "hat color."

White Hats: Ethical hackers hired to test and improve security with permission
Black Hats: Crackers who illegally use skills for personal gain or malicious intent
Gray Hats: Neither good nor bad - curious about techniques or believe it's their duty to demonstrate flaws, but work without explicit permission

Q5: What are the five phases of ethical hacking?

Reconnaissance: Gathering information about targets (passive and active)
Scanning and Enumeration: Actively applying tools to gather in-depth information
Gaining Access: Launching actual attacks against enumerated targets
Maintaining Access: Ensuring continued access through backdoors, trojans, etc.
Covering Tracks: Concealing success and avoiding detection

Q6: What are the three main phases of a penetration test?

Preparation: Contract negotiation, scope definition, team assignment
Assessment (Security Evaluation): Actual security control testing
Conclusion (Post-Assessment): Final report preparation with findings and recommendations

Q7: Explain the difference between black box, white box, and gray box testing.

Testing Type	Knowledge Level	Simulates
Black Box	No knowledge of target system	External unknown attacker
White Box	Full knowledge of network/system infrastructure	Knowledgeable internal threat
Gray Box	Limited knowledge	Privilege escalation from trusted employee

🔒 Section 2: Cryptography 101

Q8: What is the difference between symmetric and asymmetric encryption?

Aspect	Symmetric Encryption	Asymmetric Encryption
Keys	Uses one key for both encryption and decryption	Uses key pairs (public/private)
Speed	Fast	Slower performance
Key Distribution	Has key distribution problems	Solves key distribution

Q9: What are the key lengths for DES, 3DES, and AES?

DES: 56 bits (with 8 bits parity)
3DES: 168 bits
AES: 128, 192, or 256 bits

Q10: Explain the difference between block and stream ciphers.

Stream Ciphers: Encrypt data as continuous stream, one bit at a time using XOR operations - very fast
Block Ciphers: Split data into blocks (usually 64 bits) and encrypt each block - slower but use substitution and transposition

Q11: What is a hash algorithm and what is its primary purpose?

A hash algorithm is a one-way mathematical function that produces a fixed-length output based on input data arrangement.

Primary Purpose: To verify data integrity - any change in input produces a completely different hash value.

Q12: What is a collision attack in cryptography?

A collision attack occurs when two or more different inputs produce the same hash output. This shouldn't happen and can allow attackers to pass off fake files as originals.

Q13: What is steganography?

Steganography is the practice of concealing messages inside another medium (like images or files) so that only sender and recipient know of its existence - unlike encryption where everyone knows secret communication is occurring.

Q14: Explain PKI and its main components.

PKI (Public Key Infrastructure) is a framework for creating, managing, storing, distributing, and revoking keys and digital certificates.

Main Components:

Certificate Authority (CA): Creates and issues digital certificates
Certificate Revocation List (CRL): Tracks problematic certificates
Registration Authorities (RAs): Intermediate CAs in hierarchical systems

Q15: What information is contained in an X.509 digital certificate?

Version
Serial Number
Subject
Algorithm ID
Issuer
Valid From/To dates
Key Usage
Subject's Public Key
Optional fields like Subject Alternative Name

🕵️ Section 3: Reconnaissance and Footprinting

Q16: What is the difference between passive and active footprinting?

Type	Description	Examples
Passive Footprinting	Gathering information without touching the target device/network	Website browsing, public records
Active Footprinting	Requires direct interaction with target systems	Social engineering, talking to employees

Q17: What are the five Regional Internet Registries (RIRs) and their coverage areas?

ARIN: North/South America and sub-Saharan Africa
APNIC: Asia and Pacific
RIPE: Europe, Middle East, and parts of Central Asia/Northern Africa
LACNIC: Latin America and Caribbean
AfriNIC: Africa

Q18: List the main DNS record types and their purposes.

Record Type	Purpose
A	Maps IP address to hostname
AAAA	Maps IPv6 address to hostname
MX	Identifies email servers
CNAME	Provides domain name aliases
NS	Defines name servers
SOA	Identifies primary name server for zone
PTR	Maps IP to hostname (reverse DNS)
SRV	Defines hostname and port for specific services

Q19: What is a zone transfer and why is it significant for hackers?

A zone transfer replicates all DNS records from one server to another.

Significance: If unrestricted, it provides attackers with a complete network map showing all internal servers and their purposes.

Q20: Explain Google hacking and provide examples of useful operators.

Google hacking uses advanced search operators to find vulnerabilities.

Key Operators:

                            site:example.com # Search specific domain
                            filetype:pdf # Search for specific file types
                            intitle:"login" # Search page titles
                            inurl:"admin" # Search URLs
                            cache:example.com # View cached versions
                        

📡 Section 4: Scanning and Enumeration

Q21: What are the four steps of the scanning methodology?

Identify live systems (ping sweeps)
Discover open ports (port scanning)
Identify OS and services (banner grabbing, OS fingerprinting)
Scan for vulnerabilities

Q22: What is the difference between TCP and UDP at the transport layer?

Protocol	Connection	Reliability	Speed	Features
TCP	Connection-oriented	Reliable	Slower	Three-way handshake, ensures delivery
UDP	Connectionless	Unreliable	Fast	No delivery guarantee

Q23: Explain the TCP three-way handshake.

SYN: Client sends synchronization request with sequence number
SYN-ACK: Server responds with SYN-ACK, acknowledging client's sequence number
ACK: Client acknowledges server's sequence number, establishing connection

Q24: What are the six TCP flags and their purposes?

SYN: Synchronize - initial connection establishment
ACK: Acknowledgment - confirms receipt
FIN: Finish - ordered connection close
RST: Reset - immediate connection termination
PSH: Push - forces immediate data delivery
URG: Urgent - out-of-band data

Q25: Compare different nmap scan types.

Scan Type	Flag	Description	Stealth Level
TCP Connect	-sT	Full three-way handshake	Most reliable but noisy
SYN Scan	-sS	Half-open scan	Stealthy, only sends SYN
FIN Scan	-sF	Sends FIN packets	Works on Unix/Linux
XMAS Scan	-sX	Sets FIN, URG, PSH flags	Stealthy
NULL Scan	-sN	No flags set	Stealthy
ACK Scan	-sA	Tests firewall rules	Firewall testing

Q26: What responses would you expect from open vs. closed ports for different scan types?

Scan Type	Open Port Response	Closed Port Response
TCP Connect	SYN-ACK	RST-ACK
SYN Scan	SYN-ACK	RST
FIN/XMAS/NULL	No response	RST

Q27: What is banner grabbing and how is it performed?

Banner grabbing captures service banners to identify software versions and potential vulnerabilities.

Methods:

                            # Telnet method
                            telnet [IP] [port]

                            # Netcat method
                            nc [IP] [port]

                            # Nmap with banner grabbing
                            nmap -sV [IP]
                        

Q28: Explain Windows Security Identifiers (SIDs) and Resource Identifiers (RIDs).

SID: Identifies user, group, and computer accounts in specific format
RID: Portion of SID identifying specific user/computer
Important RIDs:
- Administrator RID = 500
- Guest = 501
- Users start at 1000

Q29: What is a null session and how does it work?

A null session logs into a system with no user ID or password.

net use \\[target]\IPC$ "" /u:""

Requirements: Ports 135, 137, 139, and 445

Note: Largely eliminated in Windows XP and later

Q30: What are SNMP community strings and their defaults?

SNMP community strings act as passwords:

Public: Default read-only string
Private: Default read-write string
Security Issue: Transmitted in clear text in SNMPv1 and v2

🌐 Section 5: Sniffing and Network Evasion

Q31: What is promiscuous mode and why is it necessary for sniffing?

Promiscuous mode configures a NIC to capture all frames passing on the medium, regardless of destination address, rather than only frames addressed to that specific NIC.

Necessity: Essential for network sniffing to capture all traffic, not just traffic destined for the monitoring interface.

Q32: Explain ARP and how ARP poisoning works.

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on local networks.

ARP Poisoning Process:

Attacker sends false ARP replies
Associates attacker's MAC with victim's IP
Redirects traffic through the attacker
Enables man-in-the-middle attacks

Q33: What is the difference between collision domains and broadcast domains?

Domain Type	Definition	Segmentation
Collision Domain	All devices sharing the same physical medium where collisions can occur	Segmented by switches
Broadcast Domain	All devices that receive broadcast frames	Typically segmented by routers

Q34: How do switches limit sniffing capabilities and what techniques can bypass these limitations?

How switches limit sniffing: Switches create individual collision domains per port, limiting sniffing capabilities.

Bypass Techniques:

ARP Poisoning: Redirect traffic through attacker
MAC Flooding: Overflow CAM table to make switch act like hub
MAC Spoofing: Impersonate other devices

Q35: What are the key differences between signature-based and anomaly-based IDS?

IDS Type	Detection Method	Advantages	Disadvantages
Signature-based	Compares traffic against known attack patterns	Fast, low false positives	Only catches known attacks
Anomaly-based	Compares against normal behavior baseline	Catches new/unknown attacks	More false positives

Q36: Explain Snort rule syntax with an example.

Snort Rule Format:

action protocol source_ip source_port -> dest_ip dest_port (options)

Example:

                            alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"Telnet attempt"; content:"admin";)
                        

This rule alerts on any TCP traffic from external networks to internal Telnet servers containing "admin".

Q37: What information can be extracted from Snort output?

Timestamp
Source/destination MAC addresses
IP addresses
Port numbers
TCP flags
Sequence numbers
Packet payload in hex format

Q38: What are common IDS evasion techniques?

Slow Scanning: Stay under detection thresholds
Fragmentation: Split payloads across multiple packets
Flooding: Overwhelm with alerts to hide real attacks
Encryption: Hide malicious traffic in encrypted channels
Unicode Encoding: Obfuscate attack strings

Q39: Compare packet-filtering and stateful firewalls.

Firewall Type	Operation	Capabilities	Limitations
Packet-filtering	Examines individual packets against ACLs	Fast, simple	Cannot track connection state
Stateful	Tracks entire connection conversations	Can detect out-of-sequence packets, prevent ACK tunneling	More resource intensive

Q40: What is firewalking and how is it performed?

Firewalking systematically tests each port on a firewall to determine which ports/protocols pass through.

Tools for Firewalking:

nmap
Firewalk
Custom scripts

Q41: What is a honeypot and what are important placement considerations?

A honeypot is a decoy system designed to attract and study attackers.

Placement Considerations:

Must appear legitimate but be isolated from real network
Inside DMZ is more believable than outside firewall
Should be monitored but not trusted
Needs to blend with legitimate infrastructure

⚔️ Section 6: System Attacks and Advanced Techniques

Q42: What are the four main categories of system attacks?

Operating System Attacks: Target default configurations and unpatched vulnerabilities
Application-level Attacks: Target programming flaws in applications
Shrink-wrap Code Attacks: Exploit default scripts and code in off-the-shelf applications
Misconfiguration Attacks: Take advantage of improperly configured systems

Q43: What is war dialing and what tools are used for it?

War dialing systematically dials phone numbers looking for modems that could provide backdoor access.

Tools:

ToneLoc
THC-Scan
WarVOX
PAWS
TeleSweep

Q44: What is war driving and what tools are used?

War driving searches for wireless access points by moving around with wireless-enabled devices.

Tools:

Silica
AirMagnet
AirCheck
Various WiFi scanners

Q45: What techniques can be used to hide identity during attacks?

Proxy Servers: Route traffic through intermediate systems
IP Spoofing: Falsify source IP addresses
Source Routing: Specify packet routing path
Anonymizers: Web-based proxy services
Tor: Onion routing for anonymous communication

🛠️ Section 7: Practical Applications

Q46: What ports are commonly associated with these services?

Service	Port(s)	Protocol
FTP	20/21	TCP
SSH	22	TCP
Telnet	23	TCP
SMTP	25	TCP
DNS	53	TCP/UDP
HTTP	80	TCP
POP3	110	TCP
SNMP	161/162	UDP
HTTPS	443	TCP
SMB	445	TCP

Q75: You discover a target network uses 192.168.1.0/24. What nmap command would you use for a stealthy port scan?

nmap -sS -T1 -f 192.168.1.0/24

-sS: SYN scan (stealth)
-T1: Slow timing
-f: Fragment packets

Q76: What Wireshark filter would show only HTTP traffic from a specific IP?

ip.src == 192.168.1.100 and http

Q77: How would you use Google hacking to find vulnerable login pages?

intitle:"login" inurl:"admin" filetype:php

Q78: What nslookup commands would you use to perform a zone transfer?

                            nslookup
                            server [DNS_server_IP]
                            set type=any
                            ls -d domain.com
                        

Q79: How can you identify if a system is behind a firewall during scanning?

Signs include:

Filtered ports in nmap scans
ICMP Type 3 Code 13 responses
Consistent timeouts on traceroute
Selective port blocking patterns

Q80: What information should be included in a penetration test report?

Executive summary with business impact
Methodology and scope
Detailed findings with risk ratings
Proof of concept screenshots
Remediation recommendations
Timeline and effort estimates

⚖️ Section 8: Legal and Ethical Considerations

Q47: What is the difference between vulnerability assessment and penetration testing?

Assessment Type	Approach	Goal
Vulnerability Assessment	Identifies and classifies vulnerabilities but doesn't exploit them	Find potential security issues
Penetration Testing	Actually attempts to exploit vulnerabilities	Demonstrate real-world impact

Q48: What are the legal considerations for ethical hackers?

Must have explicit written permission
Stay within defined scope
Maintain confidentiality through NDAs
Understand relevant laws (18 U.S.C. § 1030, CFAA, etc.)
Ensure all activities are authorized

Q49: What is the importance of documentation in ethical hacking?

Documentation is crucial because it:

Provides evidence of findings
Supports recommendations
Demonstrates due diligence
Enables knowledge transfer
Protects both hacker and client legally

Q81: What constitutes proper authorization for ethical hacking?

Written contract with clear scope
Non-disclosure agreements
Specific testing windows
Emergency contact procedures
Legal liability limitations

Q82: What should you do if you discover illegal content during testing?

Stop accessing the content immediately
Document the discovery carefully
Report through proper legal channels
Consult with legal counsel
Follow mandatory reporting requirements

Q83: How do you handle sensitive data discovered during testing?

Minimize data collection
Secure storage of evidence
Encrypt sensitive findings
Limit access to authorized personnel
Proper data destruction after testing

🎭 Section 9: Advanced Technical Scenarios

Q84: You can't get a reverse shell to connect back. What might be blocking it and how would you troubleshoot?

Potential Blocks:

Outbound firewall rules
NAT configuration issues
IDS/IPS detection
Application-layer filtering

Troubleshooting:

Try different ports and protocols
Use tunneling techniques
Leverage established connections

Q85: During a test, you notice your scans are being detected. How do you proceed more stealthily?

Slow down scan timing
Use decoy IPs (nmap -D)
Fragment packets
Use source port spoofing
Scan through proxies
Space out activities over time

Q86: You've gained access to a Windows domain controller. What information would be most valuable?

Active Directory database
Group Policy configurations
DNS zone information
User account information
Trust relationships

🔐 CEH Interview Preparation

Main Components:

Key Operators:

Methods:

ARP Poisoning Process:

Bypass Techniques:

Example:

Tools for Firewalking:

Placement Considerations:

Tools:

Tools:

Signs include:

Potential Blocks:

Troubleshooting: