Getting started with Nmap - Part 1

Nmap is the de facto open source tool for network scanning. Developed by Gordon Fyodor way back in 1997, Nmap remains one of the most popular tools used by a professional in the cybersecurity or computer networks industry. It is also the tool of choice in the reconnaissance and footprinting step of penetration testing and hacking, in general. (It was also the tool of choice for Trinity in The Matrix Reloaded!)

Knowing how important hand-holding is for a beginner in the cybersecurity industry, I felt the need to have a simple tutorial for Nmap. Considering the immense size of its features, I've broken down the tutorial into multiple parts. I have described Nmap and its features in the way that I learned it and in the same sequence.


In the entire tutorial, I've used Nmap on Ubuntu 16.04:
nikhilh@ubuntu:~$ uname -a
Linux ubuntu 4.15.0-32-generic #35~16.04.1-Ubuntu SMP Fri Aug 10 21:54:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

If you need a tutorial on Zenmap (the official Nmap GUI), let me know and I'll build a tutorial for it!

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Setup


Installing Nmap on Ubuntu from source


Step 1: Get the latest source package

nikhilh@ubuntu:~$ curl -o nmap-7.70.tgz https://nmap.org/dist/nmap-7.70.tgz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12.3M  100 12.3M    0     0  5011k      0  0:00:02  0:00:02 --:--:-- 5012k

It is important to download through HTTPS and not HTTP. Even though you may find a nmap-7.70.tgz in your file list, it will likely contain only error statements when downloaded through HTTP.

Step 2: Package Extraction

nikhilh@ubuntu:~$ tar -xf nmap-7.70.tgz

Step 3: Configuration
This step ensures that system dependent values are set and makefiles are created.

nikhilh@ubuntu:~$ cd nmap-7.70/
nikhilh@ubuntu:~/nmap-7.70$ ./configure
checking whether NLS is requested... yes
checking build system type... x86_64-unknown-linux-gnu

checking host system type... x86_64-unknown-linux-gnu
...
...
Configured with: ndiff zenmap nping openssl zlib libssh2 lua ncat
Configured without: localdirs nmap-update
Type make (or gmake on some *BSD machines) to compile.

Step 4: Compiling the source package
This compiles the source package and readies it for installation. The nmap script is available for use at this point.

nikhilh@ubuntu:~/nmap-7.70$ make
g++ -MM -I./liblinear -I./liblua -I./libdnet-stripped/include -I./libssh2/include -I./libpcre  -I./libpcap -I./nbase -I./nsock/include -DHAVE_CONFIG_H -DNMAP_NAME=\"Nmap\" -DNMAP_URL=\"https://nmap.org\" -DNMAP_PLATFORM=\"x86_64-unknown-linux-gnu\" -DNMAPDATADIR=\"/usr/local/share/nmap\" -D_FORTIFY_SOURCE=2 charpool.cc
...
...
gcc -o ncat -g -O2 -Wall  -L../libpcap  ncat_main.o ncat_connect.o ncat_core.o ncat_posix.o ncat_listen.o ncat_proxy.o ncat_ssl.o base64.o http.o util.o sys_wrap.o http_digest.o ncat_lua.o ../nsock/src/libnsock.a ../nbase/libnbase.a -lssl -lcrypto -lpcap ./../liblua/liblua.a -lm -ldl 

make[1]: Leaving directory '/home/nikhilh/nmap-7.70/ncat'

Step 5: Install package
This installs any newly compiled library from step 4.

nikhilh@ubuntu:~/nmap-7.70$ sudo make install
Compiling libnetutil
cd libnetutil && make

make[1]: Entering directory '/home/nikhilh/nmap-7.70/libnetutil'
...
...
NPING SUCCESSFULLY INSTALLED
make[1]: Leaving directory '/home/nikhilh/nmap-7.70/nping'

NMAP SUCCESSFULLY INSTALLED

Step 6: Include the nmap script path in $PATH, if necessary

PATH = $PATH:/home/nikhilh/nmap-7.70

Installing nmap on Ubuntu from apt-get


 nikhilh@ubuntu:~$ sudo apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:2 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]    
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
...
...
Fetched 1,853 kB in 1s (1,258 kB/s)
Reading package lists... Done

nikhilh@ubuntu:~$ sudo apt-get install nmap
Unpacking nmap (7.01-2ubuntu2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up nmap (7.01-2ubuntu2) ...

As you can see, when using apt-get, nmap 7.01 was installed whereas when installing from source, I installed nmap-7.70. If the release version (at this time, 7.01) is too far away from the most recent version (7.70), then you should install nmap from the source package. In this tutorial series, I'm using nmap-7.70.

Checking nmap version


nikhilh@ubuntu:~$ nmap -V
Nmap version 7.70 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.3 openssl-1.0.2g nmap-libssh2-1.8.0 libz-1.2.8 nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Debugging using nmap

Display all nmap options


nikhilh@ubuntu:~$ nmap -h
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
...
....
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Verbose output


nikhilh@ubuntu:~$ nmap -v scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:12 PDT
Initiating Ping Scan at 06:12
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:12, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:12
Completed Parallel DNS resolution of 1 host. at 06:12, 0.01s elapsed
Initiating Connect Scan at 06:12
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 06:12, 22.11s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.093s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

 Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 22.32 seconds

From the verbose output we can see nmap is doing two things in parallel:
  1. Resolving the hostname through DNS.
  2. Pinging the host (ICMP echo) before scanning. 
    1. This is to ensure that nmap scans only those hosts which respond to its pings (or in other words, those hosts which are alive). 
    2. If the host does not respond, nmap assumes the host is down and does not scan it.
    3. Many a time ICMP is blocked by a firewall or maybe ICMP is disabled. In those cases, scan using the "No Ping" option -Pn.

Additional verbose output


nikhilh@ubuntu:~$ nmap -vv scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:22 PDT
Initiating Ping Scan at 06:22
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:22, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:22
Completed Parallel DNS resolution of 1 host. at 06:22, 0.01s elapsed
Initiating Connect Scan at 06:22
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 06:22, 10.09s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.10s latency).
Scanned at 2018-08-18 06:22:23 PDT for 11s
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack
80/tcp    open  http       syn-ack
9929/tcp  open  nping-echo syn-ack
31337/tcp open  Elite      syn-ack

 Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds

When using the "Additional Verbose" option, nmap also displays the reasoning behind the port states, besides the usual verbose information. In this case, port 22 is declared an "open" port because it replied with a SYN-ACK packet to nmap's SYN packet.

Debugging


nikhilh@ubuntu:~$ nmap -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:26 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 06:26
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 06:26, 0.10s elapsed (1 total hosts)
Overall sending rates: 20.16 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 06:26
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 06:26, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 06:26
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed Connect Scan at 06:26, 24.04s elapsed (1000 total ports)
Overall sending rates: 83.53 packets / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.098s latency).
Scanned at 2018-08-18 06:26:04 PDT for 25s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack
80/tcp    open  http    syn-ack
31337/tcp open  Elite   syn-ack
Final times for host: srtt: 98331 rttvar: 25056  to: 198555

 Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds

Points to note:
  1. ALL the parameters specified under timing report can be modified using nmap options.
  2. -d can be used when -v or -vv does not provide enough information to debug an issue. Example: Name resolution is not working. Which DNS server is being used to resolve the hostname? Use the debug option to check.
  3. Debug levels can be provided, such as -d1 or -d7. Levels range from 1-9 with 9 having the most information. 

Reason for port state


As seen before in the additional verbose option section, Nmap provides the reason behind the port state. This option is useful when you just want the port state reason and not the clutter of verbose information.

nikhilh@ubuntu:~$ nmap --reason scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:35 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.11s latency).
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack
80/tcp   open  http       syn-ack
9929/tcp open  nping-echo syn-ack

 Nmap done: 1 IP address (1 host up) scanned in 28.77 seconds

Trace packets


nikhilh@ubuntu:~$ nmap --packet-trace scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 10:56 PDT
CONN (0.1522s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.1524s) TCP localhost > 45.33.32.156:443 => Operation now in progress
...
...
CONN (2.0804s) TCP localhost > 45.33.32.156:135 => Operation now in progress
CONN (2.0805s) TCP localhost > 45.33.32.156:22 => Operation now in progress
...
...
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9929/tcp open  nping-echo

Nmap done: 1 IP address (1 host up) scanned in 33.72 seconds

By default, nmap scans the top 1000 ports that it expects to be open (or in other words, the top 1000 most commonly used ports). So, the --packet-trace option has a huge output and you would do well with the more option or perhaps redirect the output to a file. 

 Scanning specific ports would help in decreasing the output.

 nikhilh@ubuntu:~$ nmap -p80 --packet-trace scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:45 PDT
CONN (0.0510s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.0516s) TCP localhost > 45.33.32.156:443 => Operation now in progress
CONN (0.1329s) TCP localhost > 45.33.32.156:80 => Connected
NSOCK INFO [0.1340s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.1340s] nsock_connect_udp(): UDP connection requested to 127.0.1.1:53 (IOD #1) EID 8
NSOCK INFO [0.1340s] nsock_read(): Read request from IOD #1 [127.0.1.1:53] (timeout: -1ms) EID 18
NSOCK INFO [0.1340s] nsock_write(): Write request for 43 bytes to IOD #1 EID 27 [127.0.1.1:53]
NSOCK INFO [0.1340s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.1.1:53]
NSOCK INFO [0.1340s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.1.1:53]
NSOCK INFO [0.1390s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [127.0.1.1:53] (72 bytes): .............156.32.33.45.in-addr.arpa..................scanme.nmap.org.
NSOCK INFO [0.1390s] nsock_read(): Read request from IOD #1 [127.0.1.1:53] (timeout: -1ms) EID 34
NSOCK INFO [0.1390s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [0.1390s] nevent_delete(): nevent_delete on event #34 (type READ)
CONN (0.1388s) TCP localhost > 45.33.32.156:80 => Operation now in progress
CONN (0.2192s) TCP localhost > 45.33.32.156:80 => Connected
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).

 PORT   STATE SERVICE
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Display host networking


This displays the networking interfaces and routes present on your local system.

nikhilh@ubuntu:~$ nmap --iflist
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:54 PDT
************************INTERFACES************************
DEV   (SHORT) IP/MASK                      TYPE     UP MTU   MAC
ens33 (ens33) 192.168.182.136/24           ethernet up 1500  00:0C:29:1F:AA:9A
ens33 (ens33) fe80::d4b2:e8c0:389a:9330/64 ethernet up 1500  00:0C:29:1F:AA:9A
lo    (lo)    127.0.0.1/8                  loopback up 65536
lo    (lo)    ::1/128                      loopback up 65536

 **************************ROUTES**************************
DST/MASK                      DEV   METRIC GATEWAY
192.168.182.0/24              ens33 100
169.254.0.0/16                ens33 1000
0.0.0.0/0                     ens33 100    192.168.182.2
::1/128                       lo    0
fe80::d4b2:e8c0:389a:9330/128 ens33 0
fe80::/64                     ens33 256
ff00::/8                      ens33 256

I'm working in an VMWare environment where the ethernet interface eth* was renamed to ens* at boot time.

nikhilh@ubuntu:~$ dmesg | grep ens33
[    5.362864] e1000 0000:02:01.0 ens33: renamed from eth0
[   12.909788] IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
[   12.924958] e1000: ens33 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[   12.929544] IPv6: ADDRCONF(NETDEV_UP): ens33: link is not ready
[   12.929908] IPv6: ADDRCONF(NETDEV_CHANGE): ens33: link becomes ready

It is however, possible to rename the interface name but not necessary at this point.

Specify a networking interface


nikhilh@ubuntu:~$ nmap -e ens33 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 06:59 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
31337/tcp open  Elite

 Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds

This scans the target machine by sending/receiving the packets on the specified interface (in this case, ens33) only.

That's it for part 1! I understand there was a lot of information in this post and some of the options may not have made sense to you right now, but we'll get there. If there are any questions, comment below and I'll get back to you as soon as I can!

In the next part, we'll scan networks (legally) and make sense of the output.
By at No comments:
Labels: , , , , ,

Keystroke Dynamics using Statistical Analysis for User Identification

To those who are well-versed with authentication, we know that there are three things that may be used as an authentication factor.
  1. Something we know (pin, passwords).
  2. Something we have (OTP pad).
  3. Something we are (iris, fingerprints).
The least secure authentication mechanisms use only one of the above. A more secure mechanism uses two or more. The popular ones use two of the above factors - called 2FA or Two-Factor Authentication.



The need for eliminating single factor authentication


In many cases (including Gmail), we have just one password which lets us access our accounts. So, what happens if a person with malicious intents gets hold of it? We get a notification that our account has been accessed from a new browser, but that's it. The malicious person gets access to our account and all is lost.

There are many solutions to circumvent the above problem. One of them is 2FA which maybe a password/biometric or password/OTP combination. Keystroke dynamics is another solution which prevents a person from accessing your account even if they know your password.


What is Keystroke Dynamics?


Keystroke dynamics is a type of behavioral biometric. It relies on the assumption that every person has a unique typing pattern. This typing pattern includes timing samples - the time for which a key is pressed and/or the time between key presses and more.

If a malicious person knows your password, keystroke dynamics can help prevent access to your system because the malicious person most likely has a different typing pattern than you. In the world of cyber-cells and cyber-police, just preventing access is not enough. It is also vital to know the identity of the person trying to hack into the system.

The concept of keystroke dynamics can be used in two ways:
  1. User authentication - involves comparing input data with the authorized user template.
  2. User identification - involves comparing input data with ALL the registered user templates.
In general, user identification is more resource intensive and also more prone to inefficiencies. In this post, I'll set up a simple keystroke-dynamics-enabled user identification system using Python 2.7, which analyzes the typing pattern of the user using simple statistics and identifies the most-probable user if possible.

It is important to note that simple statistical analysis of timing samples lead to inefficient or not-very-efficient identification systems. However, authentication systems using statistical analysis are reliable.

Which features are we using?


In my system, I'll be using three simple features:
  1. Dwell time - the time interval for which a key is pressed down and released.
  2. Flight time - the time interval between key press and next key press.
  3. Key affinity - user preference to use shift or caps lock keys for special or uppercase characters.

Overview


System Training Overview


This algorithm uses the simplest method of training - static training. 

We'll be using a single password, .zoroBen1 which each user types thirty times. With this password, we should be able to extract ten dwell time samples and nine flight time samples. I've ignored two flight time samples because of their unstable nature:
  1. the flight time between a character and the caps-lock or shift keys. However, the flight time between caps-lock | shift key and the next character is considered.
  2. the flight time between the last entered character and the carriage key.
A flag marks the difference between the usage of shift or caps lock keys. This flag value combined with the timing samples forms the template for a particular user.


System Testing Overview


When testing, the input data flows through a statistical layer where it is compared with all the user templates available in the system. The system then outputs a list of usernames from the most probable to the least probable. This type of system performance measurement is called the Cumulative Matching Curve (CMC) which is a rank-based performance measurement algorithm.


Algorithm Flow


I've described the flow on a very high level here. If you need more information please refer to the published paper, the link for which I've mentioned in the Readings section.
  1. The first step is to initialize global variables as part of object attributes. This includes - sample password string, number of expected dwell time samples, number of expected flight time samples, accepted deviation, etc.
  2. I've used pygame module of Python to capture the password and calculate the associated timing samples.
  3. A simple string check is executed to check if the entered password is correct.
  4. Depending on the script action, there are two paths the script can take:
    1. if the system is in training mode, it will store the key-affinity flag value and timing samples in a csv file.
    2. if the system is in testing mode, it will move into the comparison layer.
  5. If the code flow reaches this point, then it is in testing mode. At this point, the templates for all users are read from multiple .csv files
  6. For each character's timing sample, the Euclidean distance between the user input and the user template is calculated. If this is less than a certain multiple of the standard deviation for that character for that specific user template, then the input timing sample for that character is considered a hit (or a match).
  7. Now that we have the comparison data between the user input and user templates, we proceed to calculate the scores. This score is basically a measure of the closeness between the user input and the various user templates.
  8. This score is then combined with the caps-lock | shift flag to form the final rank list of users.

Results


With the help of friends and colleagues at NetApp, I was able to get training samples of 25 users. Each typed the sample password thirty times under a semi-controlled environment.

When ten users typed the password, the system was able to identify them correctly (i.e. at rank-0) 76% of the time and in the top 5, 100% of the time. When twenty users tried typing the password, the system identified them correctly 62% of the time and in the top 5, 92% of the time.

As expected, the system is not so efficient. The most probable cause for this is the level of statistics used. Like I said before, simple statistics is not sufficient for identification systems.


Readings


Machine learning is a very good concept for this application as explained in this paper: https://ieeexplore.ieee.org/document/7833085/

The paper for the system I described was published at http://www.ijemr.net/DOC/AStudyOfPersonIdentificationUsingKeystrokeDynamicsAndStatisticalAnalysis.pdf

The GitHub repository for this system lies at: https://github.com/nikhilh-20/keystroke_dynamics


Take away


Keystroke dynamics is a reasonably good behavioral biometric for authentication or identification. However, it does have its inherent drawbacks.
  1. A person's typing pattern may change if he/she is given a new laptop or if he/she gets used to his/her new laptop.
  2. Timing samples may vary between keyboards and processors.
  3. Environmental disturbances are unpredictable which may affect the typing pattern.
  4. With a billion people on the planet, there is a very high chance that there is more than one person with a similar typing pattern.

Demo


Here's a demo on the working of the system:


By at No comments:
Labels: , , , ,

My experience with CEH v10 - Preparation and Tips

Industry grade certifications matter when working in the Cybersecurity field. You might be an expert or just a beginner looking to enter into Cybersecurity. There are entry-level, intermediate-level and advanced-level certifications available to you depending on your experience in the security field.

For the last two years, I've been an automation programmer in Perl and Python. I've never been professionally involved with the security industry before. Hell, I didn't even know such an industry existed until my final semester in undergrad. It was one of my professors who first got me interested in cryptography and I've been hooked ever since.

Considering that I'm a newbie to the security industry and for a person with my level of experience, the Certified Ethical Hacker (CEH) is a very good entry-level certification to have. The CEH is administered by the EC-Council. They also offer training and other certifications like ECSA (EC-Council Certified Security Analyst) and LSA (Licensed Penetration Tester). The latest version, CEH v10 was first offered sometime in March, 2018.

How does CEH compare to other entry-level certifications?


CEH is, of course not the only entry-level certification out there. CompTIA Security+ is one another entry-level certification that I believe is a must have for entry-level professionals. Both certifications lead to a very good understanding of a variety of topics.

The Security+ certification is for those looking to further their knowledge of Cybersecurity principles and networking protocols. CEH, ideally would be the next target certification for those looking at a career in the penetration testing or incidence response fields.

When I was in college, I used to train in boxing. Being an out-boxer, I preferred to outclass, counter-punch and outpace my opponents. A penetration tester or red team member personality is more of an in-boxer's while my personality is similar to an incidence response or blue-team member. I already have the Security+ certification so CEH was my next target.


How is CEH v10 different from CEH v9?


The latest version of CEH includes separate modules on IoT security, malware analysis and vulnerability assessment. It also introduces the CEH Practical certification (a grueling 6 hour exam!)

Exam Format


The CEH v10 exam format is same as CEH v9.

  1. Number of questions: 125 (All multiple-choice questions)
  2. Test duration: 4 hours
  3. Exam prefix: 312-50

The passing marks depend on the type of questions you face in the exam. If you have a difficult paper, the passing mark is lower and vice versa.

Prerequisites


To be eligible for attempting the CEH certification, you would have to possess one of the following:

  1. Official training from EC-Council, either through an accredited training center, iWeek platform, or at an approved academic institution.
  2. Two years of work experience in the information security domain

Purchasing the Training Materials


Having never worked in the security industry before, I had to buy the official training materials from EC-Council. I was planning to give the exam from home, so I chose the iWeek platform which cost me $450. In this package, I received:

  1. ASPEN e-courseware access code
    1. This is the EC-Council administered site (www.aspen.eccouncil.org) where you can download the training materials. They require specialized software and an internet connection to view.
  2. ASPEN training evaluation
    1. After the 5-day training from an EC-Council certified instructor, you would need to fill up a survey evaluating your experience on ASPEN.
  3. ECC ProctorU exam voucher
    1. This is the exam voucher which is valid for one year. You would require this on the exam day (www.eccexam.com).
  4. CEH v10 iLabs code
    1. iLabs is a virtual platform (www.eccouncil.learnondemand.net) for applying the knowledge you gained from the training sessions on practical scenarios.

Exam Preparation


I started preparing for CEH v10 while I was still working at NetApp, Bangalore. The training materials consisted of:
  1. Twenty modules.
  2. iLabs.
Office work regularly took up more than 10 hours of my day. It was quite difficult to maintain a daily schedule of studying the training materials because of fatigue. Weekends, however presented a good window for studying.

I was able to complete one round of reading through the training material in 2 months. As I read through the modules, I maintained a text file which contained the most relevant points from that chapter. After the first round, my plan was to just read through the text file instead of scouring through the training materials again. This turned out to be a good idea because 100-slide PPT files were reduced to 5-10 pages.

The iLabs section is not very useful for the exam itself. However, it is a very good resource to get a basic practical understanding of what you're learning from the training materials.

Exam Day


My exam was on 4th August, 2018. My session was proctored by technicians from the ProctorU organization.

The technician assigned to me was very polite and asked me a few questions to validate my identity. Since my home is not a test center, the technician asked me to point my laptop camera around my workstation to ensure that there were no illegal materials lying around.

Due to a glitch in my network connectivity, it took them almost forty minutes to set up my test environment - which includes activating flash, camera, microphone and remote control. I thought that the exam would be postponed because of technical issues, but thankfully everything was resolved.

I believe that the four-hour time assigned to the exam is way more than needed. I completed my exam in about 1:15 hours. There is also a CEH Assessment sample exam on the EC-Council website which I could complete in 55 minutes. The result of the exam is displayed the moment you submit. I passed! The results are populated in ASPEN around one week after the exam date. The CEH certificate will then be available to you for download and the paper certificate is dispatched to the specified address as well.


Exam Tips


Here are some tips which I believe would be useful to those who are planning to attempt the CEH exam:
  1. Attempt the CEH assessment exam. I found 3-4 questions on the CEH exam which were picked as is from the assessment exam.
  2. Attempt sample exams (you have an option to tweak the number of questions) from www.ceh.cagy.org. I found the sample questions very helpful and there were a few questions on the CEH exam which were picked up from here. Also, note that CEH v10 is the new version and the questions on www.ceh.cagy.org are from CEH v9 and/or CEH v8.
  3. Make reliable notes when reading through the training materials. This would be very helpful when revising a few days prior to the exam.
  4. Memorize the well-known port numbers and also port numbers that popular malwares use.
  5. Memorize the tool names. It is very important for a cybersecurity professional to know which tools to use when faced with a situation (especially DDoS). You cannot always start from the ground up, and by the time you are ready the cyber criminal will be long gone.
  6. The CEH provides a massive amount of theoretical knowledge. Ensure that you understand them enough to apply in a practical scenario.

Exam Takeaway


Preparing for the CEH exam was very helpful in furthering my theoretical knowledge database. Although the practical knowledge received is minimal, it is important to remember that the CEH is an entry-level certification. After the CEH, I'm much more comfortable in understanding cyber security discussions online and more importantly, I know which tools are helpful in various situations. There is no cybersecurity professional who would say tools are for noobs (and I'm not talking about script kiddies - they are the real noobs).

If you're planning to take the CEH exam, good luck! If not, are you sure? If you're sincere in studying the training materials, it's not a difficult exam to pass. If you have any questions, leave a comment below and I'll get back to you as soon as I can.

By at No comments:
Labels: , , , , , ,
Subscribe to: Comments (Atom)

Popular posts