CEH Interview Questions

• Passive Footprinting: Gathering information without directly interacting with the target (using public sources, social media, search engines)
• Active Footprinting: Directly interacting with the target system (port scanning, network mapping, social engineering calls)

• Domain owner information
• Administrative and technical contacts
• Domain registration and expiration dates
• Name servers
• IP address ranges
• Physical addresses
• Email addresses
• Phone numbers

Google dorking uses advanced search operators to find sensitive information. Examples:

DNS zone transfer (AXFR) is a mechanism to replicate DNS databases across servers. It's a security concern because:

• Can reveal all DNS records for a domain
• Exposes internal network structure
• Shows all subdomains and hosts
• May reveal internal IP addresses

• WHOIS tools: whois, Sam Spade
• DNS tools: nslookup, dig, host, dnsrecon
• Web tools: HTTrack, Wget, Archive.org
• Network tools: traceroute, ping
• OSINT frameworks: Maltego, FOCA, theHarvester

1. SYN: Client sends SYN packet to server
2. SYN-ACK: Server responds with SYN-ACK
3. ACK: Client sends ACK to complete connection

This establishes a reliable connection before data transfer

• TCP Connect Scan: Full three-way handshake, logged
• SYN Scan (Half-open): Only SYN packet sent, stealthier
• FIN Scan: Sends FIN packets, works on Unix
• XMAS Scan: Sets FIN, PSH, and URG flags
• NULL Scan: No flags set
• ACK Scan: Used to map firewall rules
• UDP Scan: For UDP services
• IDLE/Zombie Scan: Uses a zombie host for scanning

• Port Scanning: Identifies open ports and services running
• Vulnerability Scanning: Goes deeper to identify specific vulnerabilities, misconfigurations, and security weaknesses in the discovered services

Banner grabbing captures service banners to identify versions and types. Methods:

• HTTP: Send HTTP requests and analyze headers

• Computer names
• Domain names
• User accounts
• Group memberships
• Share information
• Password policies
• Running services
• Tools: enum4linux, nbtscan, net commands

SNMP (Simple Network Management Protocol) enumeration extracts information using:

• Community Strings: Passwords for SNMP access
• Public: Read-only access (default)
• Private: Read-write access (default)
• Information gathered: System info, network interfaces, routing tables, device configurations

• Promiscuous Mode: NIC captures all packets on the network segment, regardless of destination
• Non-Promiscuous Mode: NIC only captures packets destined for its MAC address

ARP poisoning involves sending fake ARP messages to associate the attacker's MAC with another host's IP:

1. Attacker sends ARP replies to victim and gateway
2. Both update their ARP tables with attacker's MAC
3. Traffic flows through attacker (MITM position)
4. Tools: Cain & Abel, Ettercap, arpspoof

MAC flooding overwhelms a switch's CAM table:

1. Attacker sends numerous packets with different source MACs
2. CAM table fills up (limited size)
3. Switch fails open, acting like a hub
4. All traffic is broadcast to all ports
5. Tool: macof

• Send ARP requests for non-existent IPs
• Check response times for packets not destined for the host
• Use tools like PromiscDetect or Promqry
• Check local system with ifconfig (Linux) or device manager (Windows)

• Fragmentation: Split packets into fragments
• Encryption: Encrypt malicious payloads
• Obfuscation: Encode attacks differently
• Session splicing: Split attacks across packets
• Decoy scans: Hide real source among decoys
• Timing attacks: Slow down attack pace
• Protocol-level evasion: Use uncommon protocols

1. Dictionary Attack: Using wordlists
2. Brute Force: Trying all combinations
3. Hybrid Attack: Dictionary + modifications
4. Rainbow Tables: Pre-computed hashes
5. Keylogging: Capturing keystrokes
6. Social Engineering: Tricking users
7. Shoulder Surfing: Physical observation

Passwords stored in SAM file (C:\Windows\System32\config)

• LM Hash:
  • Converts to uppercase
  • Pads to 14 characters
  • Splits into 2x7 character parts
  • Very weak, easily cracked
• NTLM Hash:
  • MD4 hash of password
  • Case-sensitive
  • Stronger than LM but still vulnerable

An attack where an attacker uses a password hash directly without cracking it:

• Captures hash from memory or network
• Uses hash to authenticate to other systems
• Works because Windows accepts hash for authentication
• Tools: Mimikatz, PTH-suite

• Vertical: User to administrator/root
• Horizontal: User to another user

Techniques:

• Exploit unpatched vulnerabilities
• Misconfigurations
• Weak permissions
• DLL hijacking
• Kernel exploits
• Social engineering

ADS allows hiding data behind files:

• Feature of NTFS for compatibility with Mac HFS
• Syntax: file.txt:hidden.txt

• Clear event logs (but don't delete entirely)
• Disable auditing
• Modify timestamps
• Hide files (ADS, hidden attributes)
• Use rootkits
• Clear command history
• Remove created accounts
• Clean Registry entries

Human-based:

• Impersonation
• Dumpster diving
• Shoulder surfing
• Tailgating/Piggybacking
• Reverse social engineering

Computer-based:

• Phishing
• Spear phishing
• Whaling
• Vishing (voice)
• Smishing (SMS)
• Baiting

• Generic greetings ("Dear Customer")
• Spelling and grammar errors
• Suspicious sender addresses
• Urgency or threats
• Requests for sensitive information
• Mismatched URLs (hover to check)
• Unexpected attachments
• Too good to be true offers

Creating a fabricated scenario to gain trust and extract information:

• Impersonating authority figures
• Creating false emergencies
• Building rapport over time
• Using insider knowledge
• Exploiting helpful nature

1. Sabotage: Create a problem
2. Advertising: Present yourself as the solution
3. Assisting: Victim contacts you for help
4. Information gathering: Extract credentials during "help"

SQL injection inserts malicious SQL code into application queries:

• Basic test: Single quote (')
• Authentication bypass: ' OR 1=1--

Common payloads:

Prevention: Parameterized queries, input validation

• Union-based: Uses UNION to combine results
• Error-based: Extracts data from error messages
• Blind SQLi: No visible output, uses true/false conditions
• Time-based Blind: Uses time delays to infer data
• Second-order: Payload executed later

XSS injects malicious scripts into web pages:

• Reflected XSS: Payload in request, immediately reflected
• Stored XSS: Payload stored in database
• DOM-based XSS: Manipulates DOM environment

Example: <script>alert('XSS')</script>

Impact: Session theft, defacement, redirection

Writing more data than allocated buffer space:

• Stack overflow: Overflows stack memory
• Heap overflow: Overflows heap memory
• NOP sled: Series of NOP instructions
• Exploits poor boundary checking
• Can execute arbitrary code

Accessing files outside web root:

• Uses ../ (dot-dot-slash)
• Example: http://site.com/../../etc/passwd
• Unicode encoding: %2e%2e%2f
• Also called path traversal
• Prevention: Input validation, access controls

Modifying parameters in:

• URLs: ?price=100 changed to ?price=1
• Hidden fields in HTML
• Cookies
• HTTP headers
• Form fields

Prevention: Server-side validation

Manual testing:

• Input validation testing
• Authentication testing
• Session management testing

Automated tools:

• Burp Suite
• OWASP ZAP
• Nikto
• SQLmap
• Acunetix

• 802.11a: 54 Mbps, 5 GHz
• 802.11b: 11 Mbps, 2.4 GHz
• 802.11g: 54 Mbps, 2.4 GHz
• 802.11n: 100+ Mbps, 2.4/5 GHz
• 802.11ac: 1+ Gbps, 5 GHz

WEP (Wired Equivalent Privacy) weaknesses:

• 24-bit IV (Initialization Vector) too small
• IV reuse leads to key recovery
• No key management
• Weak integrity check
• Can be cracked in minutes
• Tools: Aircrack-ng, Cain & Abel

• WPA: TKIP encryption, stronger than WEP
• WPA2: AES encryption, current standard
• WPA3: Latest standard, SAE handshake, forward secrecy
• Enterprise versions use 802.1X authentication

Unauthorized AP on network:

• Evil Twin: Mimics legitimate AP
• Captures credentials
• MITM attacks
• Data theft
• Detection: Site surveys, WIDS

1. Start monitor mode: airmon-ng start wlan0
2. Capture packets: airodump-ng mon0
3. Generate traffic: aireplay-ng -3 -b [BSSID] mon0
4. Crack key: aircrack-ng capture.cap
5. Need 50,000+ packets for reliable cracking

• War Driving: Searching for wireless networks while moving
• War Chalking: Marking locations with symbols indicating:
  • Open networks: )(
  • Closed networks: )(—
  • WEP networks: )(W
  • SSID/password often included

• Bluejacking: Sending unsolicited messages
• Bluesnarfing: Stealing information
• Bluebugging: Taking control of device
• BlueBorne: Spreading malware
• Bluesmacking: DoS attack

• Boot Sector: Infects boot sector
• File Infector: Attaches to executables
• Macro: Uses application macros
• Polymorphic: Changes code signature
• Metamorphic: Rewrites itself completely
• Multipartite: Multiple infection methods
• Stealth: Hides from detection

• Virus: Requires host file, user action to spread
• Worm: Self-replicating, spreads automatically
• Trojan: Appears legitimate, doesn't self-replicate
• Logic Bomb: Triggers on condition
• Rootkit: Hides presence, maintains access

• Back Orifice: 31337, 31338
• NetBus: 12345, 12346
• Tini: 7777
• Deep Throat: 2140, 3150
• SubSeven: 27374
• Beast: 6666

Detection:

• Monitor ports: netstat -an
• Check processes
• Registry monitoring
• File integrity checking
• Network traffic analysis

Prevention:

• Antivirus software
• Firewall rules
• User education
• Principle of least privilege
• Application whitelisting

Software that hides malicious presence:

• Application-level: Replaces executables
• Kernel-level: Modifies kernel
• Hardware/Firmware: BIOS/UEFI infection
• Bootkit: Infects MBR
• Library-level: Patches system libraries

Detection: GMER, RootkitRevealer

• Volume-based: Flood bandwidth (ICMP, UDP floods)
• Protocol: Exploit protocol weaknesses (SYN flood)
• Application: Overwhelm application resources
• Distributed (DDoS): Multiple attacking systems
• Permanent (PDoS): Damages hardware

1. Attacker sends many SYN packets
2. Uses spoofed source IPs
3. Server allocates resources for each
4. Sends SYN-ACK to fake addresses
5. No ACK received, connections half-open
6. Connection table fills up
7. Legitimate connections refused

1. Attacker sends ICMP echo to broadcast address
2. Source IP spoofed as victim's IP
3. All hosts reply to victim
4. Victim overwhelmed with responses
5. Amplification effect
6. Prevention: Disable directed broadcasts

Botnets: Zeus, Mirai, Conficker

DDoS Tools:

• LOIC (Low Orbit Ion Cannon)
• HOIC
• Slowloris
• R.U.D.Y
• Trinity

• Rate limiting
• SYN cookies
• Increase connection queue
• Firewall rules
• IPS/IDS deployment
• CDN/DDoS protection services
• Blackholing
• Upstream filtering

Taking over an established session:

1. Sniff network traffic
2. Predict sequence numbers
3. Desynchronize legitimate client
4. Inject packets with predicted sequence
5. Take over session

• Active: Attacker takes over session
• Passive: Attacker monitors session
• Network-level: TCP/IP hijacking
• Application-level: HTTP session hijacking
• Man-in-the-Browser: Browser-based

Attacker sets victim's session ID:

1. Attacker obtains valid session ID
2. Forces victim to use this ID
3. Victim authenticates
4. Attacker uses known session ID
5. Prevention: Regenerate session ID after login

• Use HTTPS/TLS encryption
• Implement session timeouts
• Regenerate session IDs
• Validate session tokens
• Check IP address consistency
• Use unpredictable session IDs
• Implement proper logout
• Educate users

Symmetric:

• Same key for encryption/decryption
• Fast
• Examples: AES, DES, 3DES
• Key distribution problem

Asymmetric:

• Public/private key pair
• Slower
• Examples: RSA, ECC, DSA
• Solves key distribution

One-way mathematical functions:

Properties:

• Fixed output length
• Irreversible
• Avalanche effect
• Collision resistant

Common algorithms:

• MD5 (128-bit, broken)
• SHA-1 (160-bit, deprecated)
• SHA-256/512 (secure)

Provides authentication and non-repudiation:

1. Hash the message
2. Encrypt hash with private key
3. Attach to message
4. Recipient decrypts with public key
5. Verifies hash matches
6. Proves sender identity and integrity

Framework for digital certificates:

Components:

• Certificate Authority (CA)
• Registration Authority (RA)
• Certificate database
• Certificate store

Process:

• Key generation
• Certificate signing
• Distribution
• Revocation

Hiding data within other data:

Types:

• Image (LSB manipulation)
• Audio
• Video
• Text

Tools: Steghide, OpenStego, S-Tools

Detection: Statistical analysis, steganalysis tools

By knowledge:

• Black Box: No prior knowledge
• White Box: Full knowledge
• Gray Box: Partial knowledge

By location:

• External: From outside network
• Internal: From inside network

By announcement:

• Announced: Staff aware
• Unannounced: Staff unaware

1. Pre-engagement: Scope, authorization, rules
2. Intelligence Gathering: Reconnaissance
3. Threat Modeling: Identify attack vectors
4. Vulnerability Analysis: Scanning, enumeration
5. Exploitation: Gaining access
6. Post-Exploitation: Privilege escalation, persistence
7. Reporting: Documentation, recommendations

• Executive summary
• Scope and methodology
• Risk ratings
• Detailed findings
• Evidence/screenshots
• Remediation recommendations
• Technical details
• Test dates and team

Vulnerability Assessment:

• Identifies vulnerabilities
• Doesn't exploit
• Broader coverage
• Automated tools
• Regular frequency

Penetration Testing:

• Exploits vulnerabilities
• Proves impact
• Focused approach
• Manual + automated
• Less frequent