CEH Need to Know

Know these cold

Which protocol is used to query Active Directory?

LDAP (389)

Which protocol is primarily responsible for authentication in Active Directory?

Kerberos (88)

What does LDAP primarily do?

Query directory information (users, groups, OUs)

What does Kerberos primarily do?

Authentication

What file stores local Windows password hashes?

SAM

What file stores domain credentials in Active Directory?

NTDS.dit

Which Windows process commonly contains credentials in memory?

LSASS.exe

What attack reuses NTLM hashes?

Pass-the-Hash

What attack reuses Kerberos tickets?

Pass-the-Ticket

What attack extracts Kerberos service ticket hashes for offline cracking?

Kerberoasting

Which authentication protocol is associated with Pass-the-Ticket?

Kerberos

Which authentication protocol is associated with Pass-the-Hash?

NTLM

An attacker manipulates database queries through user input. Attack?

SQL Injection

An attacker injects OS commands through application input. Attack?

Command Injection

JavaScript executes in a victim's browser. Attack?

XSS

A logged-in user is tricked into performing actions. Attack?

CSRF

A server is tricked into making requests to internal resources. Attack?

SSRF

../../../etc/passwd indicates what attack?

Directory Traversal

Reading local files through a vulnerable application is called?

LFI (Local File Inclusion)

Including remote files into an application is called?

RFI (Remote File Inclusion)

XSS primarily targets what?

Browser

CSRF primarily targets what?

Authenticated user session

SSRF primarily targets what?

Server-side request processing

SQL Injection primarily targets what?

Database

Command Injection primarily targets what?

Operating System

Stored XSS persists where?

Application/database

Reflected XSS persists where?

It does not persist; reflected immediately

Which attack is more likely to steal session cookies?

XSS

FTP port?

21

SSH port?

22

Telnet port?

23

SMTP port?

25

DNS port?

53

HTTP port?

80

Kerberos port?

88

POP3 port?

110

SNMP ports?

161/162

LDAP port?

389

HTTPS port?

443

SMB port?

445

RDP port?

3389

Which Nmap flag performs a SYN scan?

-sS

Which Nmap flag performs a TCP Connect scan?

-sT

Which Nmap flag performs version detection?

-sV

Which Nmap flag performs OS detection?

-O

Which Nmap flag performs aggressive scanning?

-A

Which Nmap flag skips host discovery?

-Pn

Which scan is generally stealthier: SYN or TCP Connect?

SYN Scan

What response usually indicates a closed TCP port during a SYN scan?

RST

Which wireless protocol is considered broken?

WEP

WPA primarily uses what?

TKIP

WPA2 primarily uses what?

AES

WPA3 introduces what key feature?

SAE (Simultaneous Authentication of Equals)

What is an Evil Twin attack?

Rogue access point using the same SSID as a legitimate AP

What attack disconnects wireless clients from an AP?

Deauthentication Attack

AES is symmetric or asymmetric?

Symmetric

RSA is symmetric or asymmetric?

Asymmetric

ECC is symmetric or asymmetric?

Asymmetric

Diffie-Hellman is primarily used for?

Key Exchange

SHA-256 is what type of function?

Hash Function

MD5 is considered what?

Broken/Insecure

Hashing primarily provides?

Integrity

Digital signatures provide?

Integrity, Authentication, and Non-Repudiation

Which cloud model provides the most customer control?

IaaS

Which cloud model provides the least customer control?

SaaS

Developers manage applications but not infrastructure. Which model?

PaaS

Difference between VM and Container?

VM has a full guest OS; Container shares the host kernel

What malware self-replicates without user action?

Worm

What malware disguises itself as legitimate software?

Trojan

What malware hides processes/files to maintain access?

Rootkit

What malware encrypts files for payment?

Ransomware

Generic fraudulent email attack?

Phishing

Targeted phishing attack?

Spear Phishing

Phishing targeting executives?

Whaling

Voice-based phishing?

Vishing

SMS-based phishing?

Smishing

Single-source denial of service attack?

DoS

Multi-source denial of service attack?

DDoS

Few passwords against many accounts?

Password Spraying

Many passwords against one account?

Brute Force

Using leaked credentials across many sites?

Credential Stuffing

Tool commonly used for vulnerability scanning?

Nessus

Open-source vulnerability scanner?

OpenVAS

Tool commonly used for packet analysis?

Wireshark

Tool commonly used for exploitation?

Metasploit

Tool commonly used for web testing?

Burp Suite

Tool commonly used for password cracking?

John the Ripper

GPU-accelerated password cracking tool?

Hashcat

Wireless attack suite?

Aircrack-ng

OSINT relationship mapping tool?

Maltego