CEH V8 Bootcamp

philz1982

I am considering going to a CEH V8 bootcamp. Curious for feedback from those of you who have attended one. It would need to be in Dallas Tx and would need to be qualified to accept 100% payment from the Post-911 GI Bill

Find more posts tagged with

Comments

Khaos1911

Overkill, bro. Pick up the CEH AIO book and download a copy of Nmap, TCPdump,and a little HPing2 and you'll be golden.

NovaHax

Khaos1911 wrote: »

Overkill, bro. Pick up the CEH AIO book and download a copy of Nmap, TCPdump,and a little HPing2 and you'll be golden.

Exactly what he said. If you are going to use your GI Bill money for a cert...don't waste it on CEH. CEH is WAY too easy of a test to pass with self-study. Spend it on something that is going to be a challenge, and where personal instruction is going to be more helpful.

philz1982

Like what? I am doing pen testing and vuln testing on Building Automation Systems, which are basically web appliances so I figured the CEH would be a good step in that direction.

shajeer

Hi Khaos1911.

As per your suggestion , i am reading Matt walker AIO and completed chapter 1 of it. Proceeding to chapter 2 cryptography.

Also I downloaded ceh v8 courseware.

Could you please guide how to use hping2 tcpdump, is there any manual..googled it..but dint find

Khaos1911

shajeer wrote: »

Hi Khaos1911.As per your suggestion , i am reading Matt walker AIO and completed chapter 1 of it. Proceeding to chapter 2 cryptography.Also I downloaded ceh v8 courseware. Could you please guide how to use hping2 tcpdump, is there any manual..googled it..but dint find

We have to work on your google skills.

www.tcdump.org

Hping - Active Network Security Tool

Both are also covered in the CEH v8 courseware.

Khaos1911

philz1982 wrote: »

Like what? I am doing pen testing and vuln testing on Building Automation Systems, which are basically web appliances so I figured the CEH would be a good step in that direction.

If cost is not a problem, I'd say check out the GWAPT bootcamp/certification offered by SANS.

NovaHax

shajeer wrote: »

Hi Khaos1911.

Could you please guide how to use hping2 tcpdump, is there any manual..googled it..but dint find

root@KaliLinux:~# tcpdump -h
tcpdump version 4.3.0
libpcap version 1.3.0
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -z command ]
[ -Z user ] [ expression ]

root@KaliLinux:~# hping3 -h
usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode
IP
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set don't fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-mss enable the TCP MSS option with the given value
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --**** **** packets in hex
-J --print **** printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)

NovaHax

If you want even more...these work too:

root@KaliLinux:~# man tcpdump
root@KaliLinux:~# man hping3

NovaHax

Khaos1911 wrote: »

If cost is not a problem, I'd say check out the GWAPT bootcamp/certification offered by SANS.

And agreed. You would probably get a lot more out of a GPEN or GWAPT course.

philz1982

What about

eCPPT

OSCP

OSCE

OSWE

They cost a lot less then the SAN's courses.

NovaHax

philz1982 wrote: »

What about

eCPPT

OSCP

OSCE

OSWE

They cost a lot less then the SAN's courses.

Nope, nope, nope, and nope. From what I was told, the VA education benefits will not cover Offensive Security or eLearn certs because both of them are hosted outside of the United States. At least this was the case when I checked (but may be worth checking into it...since it was a couple years ago when I did). Stupid in my opinion...but ya know, its just not MURICAN if its not in MURICA...know what i mean???

JDMurray

philz1982 wrote: »

Like what? I am doing pen testing and vuln testing on Building Automation Systems, which are basically web appliances so I figured the CEH would be a good step in that direction.

Why not consider EC-Council's pentesting cert?

UPDATE: Oh, forget I mentioned it. I just read what it costs to maintain the L|PT cert.

philz1982

NovaHax wrote: »

Nope, nope, nope, and nope. From what I was told, the VA education benefits will not cover Offensive Security or eLearn certs because both of them are hosted outside of the United States. At least this was the case when I checked (but may be worth checking into it...since it was a couple years ago when I did). Stupid in my opinion...but ya know, its just not MURICAN if its not in MURICA...know what i mean???

I should have been more clear in my follow-up question. In the case of these certs, they are affordable enough for me. Are the classes/training worthwhile? In what order would you rank them knowing that the majority of my testing is conducted against building automation systems with either Java UI's and core C# code running on Windows or Linux boxes or C# UI's with core c# running on windows boxes. The DB's are typically SQL but I have seen some Access DB's.

The interface between the layer 1 RS-485/RS-232 ports is typically C++ to C# or C++ to Java.

-Phil

colemic

NovaHax wrote: »

Nope, nope, nope, and nope. From what I was told, the VA education benefits will not cover Offensive Security or eLearn certs because both of them are hosted outside of the United States. At least this was the case when I checked (but may be worth checking into it...since it was a couple years ago when I did). Stupid in my opinion...but ya know, its just not MURICAN if its not in MURICA...know what i mean???

I would definitely confirm this - I know VA covers tuition for foreign schools (it did for me.) They aren't listed online in the approved cert database, but I would use the ask-a-question feature to get a definitive answer.