CEH V8 Bootcamp

philz1982philz1982 Member Posts: 978
I am considering going to a CEH V8 bootcamp. Curious for feedback from those of you who have attended one. It would need to be in Dallas Tx and would need to be qualified to accept 100% payment from the Post-911 GI Bill

Comments

  • Khaos1911Khaos1911 Member Posts: 366
    Overkill, bro. Pick up the CEH AIO book and download a copy of Nmap, TCPdump,and a little HPing2 and you'll be golden.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    Khaos1911 wrote: »
    Overkill, bro. Pick up the CEH AIO book and download a copy of Nmap, TCPdump,and a little HPing2 and you'll be golden.

    Exactly what he said. If you are going to use your GI Bill money for a cert...don't waste it on CEH. CEH is WAY too easy of a test to pass with self-study. Spend it on something that is going to be a challenge, and where personal instruction is going to be more helpful.
  • philz1982philz1982 Member Posts: 978
    Like what? I am doing pen testing and vuln testing on Building Automation Systems, which are basically web appliances so I figured the CEH would be a good step in that direction.
  • shajeershajeer Member Posts: 13 ■□□□□□□□□□
    Hi Khaos1911.

    As per your suggestion , i am reading Matt walker AIO and completed chapter 1 of it. Proceeding to chapter 2 cryptography.

    Also I downloaded ceh v8 courseware.

    Could you please guide how to use hping2 tcpdump, is there any manual..googled it..but dint find icon_smile.gif
  • Khaos1911Khaos1911 Member Posts: 366
    shajeer wrote: »
    Hi Khaos1911.As per your suggestion , i am reading Matt walker AIO and completed chapter 1 of it. Proceeding to chapter 2 cryptography.Also I downloaded ceh v8 courseware. Could you please guide how to use hping2 tcpdump, is there any manual..googled it..but dint find icon_smile.gif

    We have to work on your google skills. :)

    www.tcdump.org

    Hping - Active Network Security Tool

    Both are also covered in the CEH v8 courseware.
  • Khaos1911Khaos1911 Member Posts: 366
    philz1982 wrote: »
    Like what? I am doing pen testing and vuln testing on Building Automation Systems, which are basically web appliances so I figured the CEH would be a good step in that direction.

    If cost is not a problem, I'd say check out the GWAPT bootcamp/certification offered by SANS.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    shajeer wrote: »
    Hi Khaos1911.

    Could you please guide how to use hping2 tcpdump, is there any manual..googled it..but dint find icon_smile.gif

    root@KaliLinux:~# tcpdump -h
    tcpdump version 4.3.0
    libpcap version 1.3.0
    Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
    [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
    [ -i interface ] [ -j tstamptype ] [ -M secret ]
    [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
    [ -W filecount ] [ -y datalinktype ] [ -z command ]
    [ -Z user ] [ expression ]

    root@KaliLinux:~# hping3 -h
    usage: hping3 host [options]
    -h --help show this help
    -v --version show version
    -c --count packet count
    -i --interval wait (uX for X microseconds, for example -i u1000)
    --fast alias for -i u10000 (10 packets for second)
    --faster alias for -i u1000 (100 packets for second)
    --flood sent packets as fast as possible. Don't show replies.
    -n --numeric numeric output
    -q --quiet quiet
    -I --interface interface name (otherwise default routing interface)
    -V --verbose verbose mode
    -D --debug debugging info
    -z --bind bind ctrl+z to ttl (default to dst port)
    -Z --unbind unbind ctrl+z
    --beep beep for every matching packet received
    Mode
    default mode TCP
    -0 --rawip RAW IP mode
    -1 --icmp ICMP mode
    -2 --udp UDP mode
    -8 --scan SCAN mode.
    Example: hping --scan 1-30,70-90 -S www.target.host
    -9 --listen listen mode
    IP
    -a --spoof spoof source address
    --rand-dest random destionation address mode. see the man.
    --rand-source random source address mode. see the man.
    -t --ttl ttl (default 64)
    -N --id id (default random)
    -W --winid use win* id byte ordering
    -r --rel relativize id field (to estimate host traffic)
    -f --frag split packets in more frag. (may pass weak acl)
    -x --morefrag set more fragments flag
    -y --dontfrag set don't fragment flag
    -g --fragoff set the fragment offset
    -m --mtu set virtual mtu, implies --frag if packet size > mtu
    -o --tos type of service (default 0x00), try --tos help
    -G --rroute includes RECORD_ROUTE option and display the route buffer
    --lsrr loose source routing and record route
    --ssrr strict source routing and record route
    -H --ipproto set the IP protocol field, only in RAW IP mode
    ICMP
    -C --icmptype icmp type (default echo request)
    -K --icmpcode icmp code (default 0)
    --force-icmp send all icmp types (default send only supported types)
    --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
    --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
    --icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
    --icmp-help display help for others icmp options
    UDP/TCP
    -s --baseport base source port (default random)
    -p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
    -k --keep keep still source port
    -w --win winsize (default 64)
    -O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
    -Q --seqnum shows only tcp sequence number
    -b --badcksum (try to) send packets with a bad IP checksum
    many systems will fix the IP checksum sending the packet
    so you'll get bad UDP/TCP checksum instead.
    -M --setseq set TCP sequence number
    -L --setack set TCP ack
    -F --fin set FIN flag
    -S --syn set SYN flag
    -R --rst set RST flag
    -P --push set PUSH flag
    -A --ack set ACK flag
    -U --urg set URG flag
    -X --xmas set X unused flag (0x40)
    -Y --ymas set Y unused flag (0x80)
    --tcpexitcode use last tcp->th_flags as exit code
    --tcp-mss enable the TCP MSS option with the given value
    --tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
    Common
    -d --data data size (default is 0)
    -E --file data from file
    -e --sign add 'signature'
    -j --**** **** packets in hex
    -J --print **** printable characters
    -B --safe enable 'safe' protocol
    -u --end tell you when --file reached EOF and prevent rewind
    -T --traceroute traceroute mode (implies --bind and --ttl 1)
    --tr-stop Exit when receive the first not ICMP in traceroute mode
    --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
    --tr-no-rtt Don't calculate/show RTT information in traceroute mode
    ARS packet description (new, unstable)
    --apd-send Send the packet described with APD (see docs/APD.txt)
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    If you want even more...these work too:

    root@KaliLinux:~# man tcpdump
    root@KaliLinux:~# man hping3
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    Khaos1911 wrote: »
    If cost is not a problem, I'd say check out the GWAPT bootcamp/certification offered by SANS.


    And agreed. You would probably get a lot more out of a GPEN or GWAPT course.
  • philz1982philz1982 Member Posts: 978
    What about

    eCPPT

    OSCP

    OSCE

    OSWE

    They cost a lot less then the SAN's courses.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    philz1982 wrote: »
    What about

    eCPPT

    OSCP

    OSCE

    OSWE

    They cost a lot less then the SAN's courses.

    Nope, nope, nope, and nope. From what I was told, the VA education benefits will not cover Offensive Security or eLearn certs because both of them are hosted outside of the United States. At least this was the case when I checked (but may be worth checking into it...since it was a couple years ago when I did). Stupid in my opinion...but ya know, its just not MURICAN if its not in MURICA...know what i mean???
  • JDMurrayJDMurray Admin Posts: 13,099 Admin
    philz1982 wrote: »
    Like what? I am doing pen testing and vuln testing on Building Automation Systems, which are basically web appliances so I figured the CEH would be a good step in that direction.
    Why not consider EC-Council's pentesting cert?


    UPDATE: Oh, forget I mentioned it. I just read what it costs to maintain the L|PT cert. icon_tongue.gif
  • philz1982philz1982 Member Posts: 978
    NovaHax wrote: »
    Nope, nope, nope, and nope. From what I was told, the VA education benefits will not cover Offensive Security or eLearn certs because both of them are hosted outside of the United States. At least this was the case when I checked (but may be worth checking into it...since it was a couple years ago when I did). Stupid in my opinion...but ya know, its just not MURICAN if its not in MURICA...know what i mean???


    I should have been more clear in my follow-up question. In the case of these certs, they are affordable enough for me. Are the classes/training worthwhile? In what order would you rank them knowing that the majority of my testing is conducted against building automation systems with either Java UI's and core C# code running on Windows or Linux boxes or C# UI's with core c# running on windows boxes. The DB's are typically SQL but I have seen some Access DB's.

    The interface between the layer 1 RS-485/RS-232 ports is typically C++ to C# or C++ to Java.

    -Phil
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    NovaHax wrote: »
    Nope, nope, nope, and nope. From what I was told, the VA education benefits will not cover Offensive Security or eLearn certs because both of them are hosted outside of the United States. At least this was the case when I checked (but may be worth checking into it...since it was a couple years ago when I did). Stupid in my opinion...but ya know, its just not MURICAN if its not in MURICA...know what i mean???
    I would definitely confirm this - I know VA covers tuition for foreign schools (it did for me.) They aren't listed online in the approved cert database, but I would use the ask-a-question feature to get a definitive answer.
    Working on: staying alive and staying employed
Sign In or Register to comment.