Some general questions about the CEH (v8) exam

---

I'm hoping a moderator can answer a few questions for me. I'm going through Sean's CEH book and there are a few of things that are fairly worrysome. For one, MANY of the questions in the book provide answers that in one way shape or another fit as an answer to the question; and in most of those cases there's only extremely (imho) small differences in the answers.
Here's a couple of examples:
Example 1: A _____ is an offline attack.
The provided answers are:
a cracking attack
a rainbow attack
a birthday attack
or a hashing attack.

You kind've are cracking the password, and a hashing attack could be read as you are performing an attack against the hash which could also be offline (though technically yes, I do know there are online services that do provide that). I think the proper way to read the question is what tool are you using to perform the attack instead of what category of operating are you falling under...

Example 2: A good defense against password guessing is __________
The provided answers are:
Complex passwords
Password policy
Fingerprints
Use of NTLM

A good password policy can ensure good passwords. Fingerprints in place of words/phrases would eliminate passwords all together (though this one wasn't mentioned, and either way, it's much less likely what the question is looking for).

Are the given answers on the exam as bad as these? And these are just 2, the book so far has had numerous questions with answers like these. To me, a test should provide answers that if you understood the material it should be dead obvious. But I understand the material and I'm finding I need to read between the lines and figure out stuff that is being asked that isn't even printed on the paper just to figure out what specifically the question is looking for.

Also, I understand I need to know the port numbers and their TCP/UDP statuses for various known services. However, in Chapter 8: Trojans, Viruses, Worms,, and Covert Channels, are we expected to know all of the names, ports, and TCP/UDP statuses of each and every Trojan (ex: Back Orifice, BO2k, Beast, etc.) listed? The Exam Essentials doesn't say it, but there really wasn't anything in this section stating they were just there for personal information purposes.

How much of the exam is an informational dump? I went through all the IT Pro TV videos (which were GREAT btw, I really enjoyed the occasional banter between Mike and Sean) But as I'm reading through the book there is a METRIC-TON of stuff the videos didn't cover that could all be used on an information-dump style test. I was under the impression the CEH is mostly a conceptual test, where yes you need to know the basic tools (nmap, ping, etc.) and ports of known services, etc. but the book is kind've insane.

Thanks in advance!

Hey Brandon,

Yes, this is a difficult exam. There is a lot of information! But it is also a mile wide and an inch deep mostly. Meaning you have to know a little about a lot. There are several tools and techniques in each category. While you don't have to be an expert with each tool, there are certain ones they seem to call out, like the ones you mentioned. The best way to study is to set up a test lab and play!

As for the questions, try not to read too much into them. But those are close to exam questions.

For example, with regards to the question about offline attacks, here's how I would look at it...
Offline in this context means not connected to the target during the attack, not whether I have an internet connection or using an online service.

1. Cracking attack - no such thing
2. Rainbow attack - I have dumped some hash values, and I am using a rainbow table to find a hash collision. Definitely an offline attack
3. Birthday attack - Not really an attack, more of a mathematical paradox that we can take advantage of with certain attacks, like rainbow tables
4. Hashing attack - Not really an attack, more of a technique used in many attacks. If we can obtain a hash value, we might try a replay attack, MITM attack (which would be online) or a rainbow attack (offline attack)

As for the second question, again, try not to read too much into it.
While using fingerprints would be a more secure option, that is not what the question is asking. The question isn't asking us to choose a more secure option, rather make the given authentication method more secure. Implementing biometric authentication will not do anything to prevent password guessing, whereas complex passwords would. We can't assume that if we switch to fingerprint authentication, we are no longer using passwords. Policy might be used to implement complex password requirements, but it's still the complex password that's mitigating the risk of password guessing, not the policy.

It really is a ton of information, don't get frustrated. Like the port numbers for the different malware. Definitely testable information. But probably not more that one or two, and probably not fill in the blank. More like here is a netstat output, which trojan are you infected with. But the questions change, and there is a large pool of questions, so I cannot say for sure.

Hope this helps, thanks for watching, and let me know if you have any other questions.

Mike

Thanks Mike! Yeah that REALLY helps!

Ok, so those questions then aren't just not-great questions; they're indicative of I REALLY need to read the question and actually figure out if they're asking what it looks like on the surface or if there's something deeper behind it. Many tests say to carefully read the question, but that's usually just the boiler plate stuff that gets slapped on almost every test anywhere on any topic. In this case, it's REALLY meant.

I think I'll do something like that at home perhaps. At work I did set up an OpenSUSE machine and threw Snort on it with pulledpork.pl, and eventually Tripwire as well. I did it for personal workstation security reasons (we have interns from another country doing some cyber security research and I'm on the same VLAN as them), but I also remember it being mentioned in the videos that it's something we are really encouraged to work with and play around with.

I had made some flashcards for various port numbers of the known ports, I'll just add another set for malware. I guess the moral of the story is, given it's a mile wide and an inch deep, even if I miss one or two questions based on ports of malware, it's ok. It's about the bigger goal, which is passing the test or to put it the style of Sun Tzu:

The general that fights many battles, regardless of their respective victories, looses resources for the bigger picture, depletes the resources of the state 10 fold, and losses the bigger war. "Thus, winning a hundred victories out of a hundred battles is not the ultimate achievement; the ultimate achievement is to defeat the enemy without even coming to battle".

Basically, don't get bogged down in the "trivia". Obviously I need to continue studying, but I need to pick and choose the battles that I personally feel are worth fighting. If I think the overall exam is based on understanding concepts (with knowledge of some of the tools' parameters), then the "trivia" stuff will probably be only one or two here and there. Of course, I also don't want to suffer a death of a 1000 needles either. I think the way I will approach it, is to continue pushing my way forward through the book , doing the tests after each chapter, work the virtual labs, go through my own personal notes, skim back over through the book where all my color-coded page flags are (benefit of page flags -- don't have to read the entire thing a second time) all the while continually and occasionally working through the "trivia" stuff.. It should sure up my defenses a bit for the test and provide me a fighting shot.

I'm going to go ahead and mark this as solved, since it addressed and answered my questions. Thanks!