Thanks Mike! Yeah that REALLY helps!
Ok, so those questions then aren't just not-great questions; they're indicative of I REALLY need to read the question and actually figure out if they're asking what it looks like on the surface or if there's something deeper behind it. Many tests say to carefully read the question, but that's usually just the boiler plate stuff that gets slapped on almost every test anywhere on any topic. In this case, it's REALLY meant.
I think I'll do something like that at home perhaps. At work I did set up an OpenSUSE machine and threw Snort on it with pulledpork.pl, and eventually Tripwire as well. I did it for personal workstation security reasons (we have interns from another country doing some cyber security research and I'm on the same VLAN as them), but I also remember it being mentioned in the videos that it's something we are really encouraged to work with and play around with.
I had made some flashcards for various port numbers of the known ports, I'll just add another set for malware. I guess the moral of the story is, given it's a mile wide and an inch deep, even if I miss one or two questions based on ports of malware, it's ok. It's about the bigger goal, which is passing the test or to put it the style of Sun Tzu:
The general that fights many battles, regardless of their respective victories, looses resources for the bigger picture, depletes the resources of the state 10 fold, and losses the bigger war. "Thus, winning a hundred victories out of a hundred battles is not the ultimate achievement; the ultimate achievement is to defeat the enemy without even coming to battle".
Basically, don't get bogged down in the "trivia". Obviously I need to continue studying, but I need to pick and choose the battles that I personally feel are worth fighting. If I think the overall exam is based on understanding concepts (with knowledge of some of the tools' parameters), then the "trivia" stuff will probably be only one or two here and there. Of course, I also don't want to suffer a death of a 1000 needles either. I think the way I will approach it, is to continue pushing my way forward through the book , doing the tests after each chapter, work the virtual labs, go through my own personal notes, skim back over through the book where all my color-coded page flags are (benefit of page flags -- don't have to read the entire thing a second time) all the while continually and occasionally working through the "trivia" stuff.. It should sure up my defenses a bit for the test and provide me a fighting shot.
I'm going to go ahead and mark this as solved, since it addressed and answered my questions. Thanks!
I'm hoping a moderator can answer a few questions for me. I'm going through Sean's CEH book and there are a few of things that are fairly worrysome. For one, MANY of the questions in the book provide answers that in one way shape or another fit as an answer to the question; and in most of those cases there's only extremely (imho) small differences in the answers.
Here's a couple of examples:
Example 1: A _____ is an offline attack.
The provided answers are:
a cracking attack
a rainbow attack
a birthday attack
or a hashing attack.
You kind've are cracking the password, and a hashing attack could be read as you are performing an attack against the hash which could also be offline (though technically yes, I do know there are online services that do provide that). I think the proper way to read the question is what tool are you using to perform the attack instead of what category of operating are you falling under...
Example 2: A good defense against password guessing is __________
The provided answers are:
Use of NTLM
A good password policy can ensure good passwords. Fingerprints in place of words/phrases would eliminate passwords all together (though this one wasn't mentioned, and either way, it's much less likely what the question is looking for).
Are the given answers on the exam as bad as these? And these are just 2, the book so far has had numerous questions with answers like these. To me, a test should provide answers that if you understood the material it should be dead obvious. But I understand the material and I'm finding I need to read between the lines and figure out stuff that is being asked that isn't even printed on the paper just to figure out what specifically the question is looking for.
Also, I understand I need to know the port numbers and their TCP/UDP statuses for various known services. However, in Chapter 8: Trojans, Viruses, Worms,, and Covert Channels, are we expected to know all of the names, ports, and TCP/UDP statuses of each and every Trojan (ex: Back Orifice, BO2k, Beast, etc.) listed? The Exam Essentials doesn't say it, but there really wasn't anything in this section stating they were just there for personal information purposes.
How much of the exam is an informational dump? I went through all the IT Pro TV videos (which were GREAT btw, I really enjoyed the occasional banter between Mike and Sean) But as I'm reading through the book there is a METRIC-TON of stuff the videos didn't cover that could all be used on an information-dump style test. I was under the impression the CEH is mostly a conceptual test, where yes you need to know the basic tools (nmap, ping, etc.) and ports of known services, etc. but the book is kind've insane.
Thanks in advance!
Hmm... Reading through that article, it doesn't actually say one or or the way what it does with the VLANs, it just basically says, on newer devices (7.5+) there's protection on by default (unicast flood protection), and you can have multiple different events occur, such as shutting down the VLAN, limit the VLAN, In fact it even references preventing a table from being filled as it's -BAD- when a table gets filled (which it is) but it implys they don't have a solution in place for when that happends and instead focus their efforts on preventing it from happening (things like limiting any new MAC address entries until a table has freed up more slots). I'm going to mark this as solved, because ultimately I think you're probably right; I don't think VLAN traffic will go across to other VLANs. Interesting stuff though. Thanks!
Yeah, that's kind've what I was thinking -- that other VLANs would not be affected. I didn't realize each VLAN actually had their own tables. I always kind've thought the VLAN stuff rode sort've ontop of Layer 2 but out-of-band of the OSI model. Sort've like it's own thing. Unfortunately (or fortunately depending on how you look at it) it makes the pentester's life a bit harder. I guess if you're dealing with VLANs, at that point you'd be looking at other infiltration methods, USB keys, phishing, social engineering, etc. Which to me always seems like cheating. But I guess demonstrating even a human vulnerability is still demonstrating vulnerability.
I knew you could sniff on switch-based networks before working on my CEH cert. I always like to put it as basically Ethernet just grew up (after hubs); you have to do it a little differently. I knew about flooding tables on switches, but my questions are: How do VLANs come into play with this attack? Many (most?) switches also have VLAN features built into them. Does flooding tables cause VLANs to be ignored (assuming a switch fails to open instead of closed) as well? Or are VLANs still active even though the switch is set to open (In order words, you'll see the traffic in your vlan but not across all workstations that would be in other VLANs on the same switch)? If VLANs ARE still active, is there a type of attack that can be used or a perfectly legitimate override mechanism that can be retooled for the purposes of shutting down the VLAN feature so you can then see all the traffic on the switch?