💾 Archived View for envs.net › ~neovoid › notes › CEH › CEH_notes.md captured on 2024-08-18 at 19:05:27.
View Raw
More Information
⬅️ Previous capture (2023-07-22)
-=-=-=-=-=-=-
#+title: My CEHv11 Notes From Scratch
- Module 1: Introduction to Ethical Hacking
- * Module Flow:
1. Information Security Overview
2. Cyber kill chain Concepts
3. Hacking Concepts
4. Ethical Hacking Concepts
5. Information Security Concepts
6. Information Security Laws and Standards
- * Elements of Information Security
- Confidentiality
/authorized to have access/
- Integrity
/trustworthiness of data and resources/
/e.g. - Hashing algorithm/
- Availability
/required by authorized user/
- Authenticity
/quality of being genuine/
/e.g. - Digtal Signature/
- Non-Repudiation
/A gurantee that sender of msg cant deny/
- * Motives, Goal and Objectives of Information Security
|------------------------------------------|
| ATTACK = MOTIVE + METHOD + VULNERABILITY |
|------------------------------------------|
![img](/home/nvpie/pustak/notes_central/CEH/motives.png)
- * Classification of Attacks
e.g. - 1. Footprinting
2. Sniffing and Eavesdropping
3. Network Traffic Analysis
4. Decryption of weakly encrypted traffic
![img](~/pustak/notes_central/CEH/active_attacks.png)
e.g. - Social Engineering (Eavesdropping, shoulder surfing, dumpster diving, etc)
e.g. - 1. Eavesdropping and wiretapping
2. Theft of physical devices
3. Social Engineering
4. Data theft and spoilation
5. Pod slurping
6. Planting Keyloggers, backdoors and malwares.
e.g. - Modification of software or hardware during production or distribution
|------------------------+--------------------|
| Defensive Warfare | Offensive Warfare |
|------------------------+--------------------|
| Prevention | Web app attacks |
| Deterrence | Web server attacks |
| Alerts | Malware attacks |
| Detection | MiTM Attacks |
| Emergency Preparedness | System Hacking |
| Response | |
|------------------------+--------------------|
- ** Command and control warfare (c2 warfare)
- ** Intelligence based warefare
- ** Electronic Warfare
- ** Psychological warfare
- ** Hacker Warfare
- ** Economic Warfare
- ** Cyberwarfare
- ** Defensive Information Warfare
- ** Offensive Information Warfare
- * Cyber Kill Chain Concepts
- Its a Intelligence-driven defense methodology to identify and prevent intrusion activities.
A hacker may carry attack through following typical process
=Recon --> Weaponization --> Delivery --> Exploitation --> Installation --> Command and control --> Actions on objectives=
- * Tactics, Techniques and Procedures (TTPs)
- * Adversay Behavioural Identification
- ** Internal Recon
- ** Use of Powershell
- ** Unspecified Proxy Attacks
- ** Use of CLI
- ** Http user agent
- ** C2C Server
- ** Use of dns tunneling
- ** Use of web shell
- ** Data staging
- * Indicators of Compromise (IoCs)
- ** Categories of IoCs
- Email
- Network
- Host-based
- Behavioural
- ** Key Indicators of IoCs
- Unusual outbound network traffic
- Unusual activity through a priviledge user account
- Geographical anomalies
- Multiple login failures
- Increased database read volume
- Large HTML response size
- Multiple request for the same file
- Mismatched port application traffic
- Suspicious registry or system file changes
- Unusual DNS request
- Signs of Distributed Deniel-of-Services activity
- Bundles of Data in the wrong places
- Web traffic with superhuman behaviour
- * Hacking Concepts
- ** What is hacking?
In the field of computer Security:
=Exploiting system vulnerabilities and compromise security controls to gain unauthorized access to target system and its resources.=
1. An =intelligent individual= with =excellent computer skills= who can create and explore computer software and hardware.
2. For some =hacking is hobby= to see how many systems they can compromise.
3. Some hackers intention can either be to =gain knowledge= or to probe and =do illegal things=.
|-----------------+-----------------------------|
| Types | Description |
|-----------------+-----------------------------|
| Black hats | bad guy |
| white hats | good guy |
| gray hats | moody |
| sucide hackers | reckless |
| Script Kiddies | uneducated copy cat |
| cyber terrorist | ISIS |
| State sponsered | Powered by Government |
| Hacktivist | Mr. Robot / Annonymous Team |
|-----------------+-----------------------------|
- * Hacking Phases
- ** Reconnaissance
- Active
- Passive
- Pre-attack phase
- Port scanner
- Extract Information
- obtaining access to os or application
- escalate priviliges
- Retaining ownership
- patching and installing their own backdoors
- manipulate data
- use as platform to hack other networks or system
- Hide malicious acts
- deleting evidence while maintaing continuous access
- overwriting logs to avoid suspicion
- * What is Ethical Hacking?
=noun= "hacker" = person who =enjoys learning and mastering= the details of computer systems and mastering the skills
=verb= "hack" = rapid development of new programs or reverse engineering of existing software to make it better in new and innovative ways.
=term= "cracker" and "attacker" = person who employ their hacking skills for offensive purposes.
=term= "ethical hacker" = security professional who employ their hacking skills for defensive purposes.
=
- Module 2: Footprinting and Reconnaissance
- * Lab 01: Using google dorks
~intitle:password site:eccouncil.org~
~eccouncil filetype:pdf~
- * Lab 02: Task 1 : Using netcraft.com
View all subdomains:
~Site >> Resources >> Site Report >> url >> network field >> domain~
- * Lab 03: Task 1 : using harverster
gather employees information from linkedin
~theHarvester -d eccouncil -l 200 -b linkedin~
- * Lab 04: Task 1 : using ping (windows os)
gathering information of website using ping
#+begin_src shell
ping goodshopping.com
ping goodshopping.com -f -l 1500
ping goodshopping.com -f -l 1300
#+end_src
- * Lab 04: Task 4 : using httrack (windows os)
mirroring website
Install httrack tool:
~D(CEH TOOLS):\CEH TOOLS\Module2 - Footprinting and reconnainsance\website mirroring tools\httrack website copier\httrack-3.49.2.exe~
open httrack gui >> next (new project) >> project name >> next >> Add url (goodshopping.com)>> set options >> Scan Rules >> checkboxes (gifs, compression files, media files) >> next >> disconnect when finished >> finish >> browse mirror website >> finish >> exit
- * Lab 05: using emailTrackerPro
Traceing email headers
Install tool:
~D(CEH TOOLS):\CEH TOOLS\Module2 - Footprinting and reconnainsance\emailtracking tools\eMailTrackerPro\emt.exe~
open emailTrackerPro >> my trace reports >> Trace Headers >> paste headers
- * Lab 06: Whoislook using domaintools
goto whois.domaintools.com >> www.certifiedhacker.com >> lookup
- * Lab 07: Taks 1: using nslook up (windows os)
gathering dns information using nslookup cli and online tool
open command prompt >> ~nslookup~
default settings were:
#+begin_src shell
Default Server: dns.google
Address: 0.0.0.0
#+end_src
~set type=a >> certifiedhacker.com~
~set type=cname >> certifiedhacker.com~
~set type=a >> ns1.bluehost.com~
online method:
goto: www.kloth.net/services/nslookup.php
Domain >> certifiedhaker.com
queryfield >> default
lookitup
queryfield >> AAAA (ipv6 address)
lookitup
- * Lab 08: Task 1: Performing network trace routing in windows and linux machine
Windows OS:
Open command prompt >> tracert www.certifiedhacker.com
~tracert -h 5 www.certifiedhaker.com~
Linux OS:
Open Terminal >> ~tracerout~ >> www.certifiedhacker.com
- * Lab 09: Task 1: using recon-ng
Gathering host information
Terminal >>
#+begin_src shell
recon-ng
help
marketplace install all
modules search
workspaces
workspaces create CEH
workspaces select CEH
workspaces list
db insert domains
certifiedhacker.com
show domains
modules load brute
modules load recon/domains-hosts/brute_hosts
run
modules load recon/hosts-hosts/reverse_resolve
run
show hosts
back
modules load reporting/
modules load reporting/html
options set FILENAME /root/Desktop/results.html
options set CREATOR Jason
options set CUSTOMER certifiedHacker Networks
run
#+end_src
Gathering personal information
#+begin_src shell
recon-ng >>
workspaces create reconnainsance
modules load recon/domains-contacts/whois_pocs
info command
options set SOURCE facebook.com
run
back
modules load recon/profiles-profiles/namechk
options set SOURCE MarkZuckerberg
run
back
modules load profiles-profiles/profiler
options set SOURCE MarkZuckerberg
run
back
modules load reporting/html
options set FILENAME /root/Desktop/Reconnaissance.html
options set CREATOR Jason
options set CUSTOMER Mark Zuckerberg
run
#+end_src
1. Perform host discovery using Nmap and find the IP address of the machine hosting www.goodshopping.com
cmd: nmap -sN -PR 10.10.1.19
Ans: 10.10.1.19
2. In Windows 10 machine, use the Angry IP Scanner tool located at D:\CEH-Tools\CEHv11 Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner to discover the active hosts in the target network. Find the hostname of the machine whose IP address is 10.10.1.14
Ans:Android.local
3. Perform an ICMP ECHO ping sweep to discover live hosts on your network subnet. Find the number of live hosts in the subnet
cmd: nmap -sN -PE 10.10.1.0/24
Ans: 6
4. Browse anonymously using Proxy Switcher. Flag submission is not required for this task, enter "No flag" as the answer
cmd:
Ans: No flag
5. In Windows Server 2019, use the Colasoft Packet Builder tool located at Z:\CEHv11 Module 03 Scanning Networks\Packet Crafting Tools\Colasoft Packet Builder to create custom packets to scan the target host (Windows 10). Observer the “Decode Editor” section and find out the packet length value. Note: Turn on the Windows Defender Firewall to perform this task
Ans: 64
6. Browse anonymously using CyberGhost VPN. Flag submission is not required for this task, enter "No flag" as the answer
Flag 1 of 30
Search for www.eccouncil.org on Netcraft (https://www.netcraft.com) and identify the operating system of the web server hosting the website www.eccouncil.org.
Ans:Linux
Flag 2 of 30
Use an advanced Google hacking technique to find PDF files on the website www.eccouncil.org. Enter the complete URL of the CEHv11-Brochure.pdf file.
Ans:https://www.eccouncil.org/wp-content/uploads/2020/09/CEHv11-Brochure.pdf
Flag 3 of 30
Use the Shodan IoT search engine to search for information about vulnerable IoT devices in a target organization, Amazon. Enter YES if you find details of vulnerable IoT devices related to amazon; else, enter NO.
Ans:YES
Flag 4 of 30
Search for EC-COUNCIL on YouTube (https://www.youtube.com) and perform a reverse image search on any of the YouTube video using Youtube Metadata (https://mattw.io/youtube-metadata/) video analysis tool. Enter the Video ID.
Flag 5 of 30
Use the NAPALM FTP Indexer (https://www.searchftps.net/) to extract critical FTP information about a target organization, Microsoft. Enter YES if you find files located on the target's FTP servers; else, enter NO.
AAA
Flag 6 of 30
Use the Sherlock tool to gather all the URLs related to Satya Nadella from various social networking sites. Enter the complete URL related to Satya Nadella that is obtained from the social networking site Academia.edu.
aaaaa://aaaaaaaaaaa.aaaaaaaa.aaa/aaaaa
Flag 7 of 30
Use theHarvester tool to gather information about the employees (name and job title) of a target organization (eccouncil.org) available on LinkedIn. Enter the option to specify the data source as LinkedIn.
-a
Flag 8 of 30
Use the Followerwonk online tool (https://followerwonk.com/analyze) to gather Twitter information about Satya Nadella. What is the name of rating Followerwonk uses to rate a user's influence and engagement on Twitter?
Aaaaaa Aaaaaaaaa
Flag 9 of 30
Use CeWL ruby application to gather a wordlist from the target website (http://www.certifiedhacker.com). Enter the command which allows you to gather a unique wordlist from the target website with a minimum word length of 6 and the depth of 3 to spider the target website.
aaaa -a N -a N aaa.aaaaaaaaaaaaaaa.aaa
Flag 10 of 30
In the Windows 10 machine, use Web Data Extractor web spidering tool located at D:\CEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Web Spiders\Web Data Extractor to gather the target company’s (http://www.certifiedhacker.com) data. Enter the contact email ID of the support department.
aaaaaaa*aaaaaaaaaa.aaa
Flag 11 of 30
In Windows 10 machine, use eMailTrackerPro tool located at D:\CEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Email Tracking Tools to gather information about an email by analyzing the email header. Observe the output and enter YES if the tool contains the “Abuse Reporting” feature; else, enter NO.
AAA
Flag 12 of 30
Identify the name server for the domain www.certifiedhacker.com by using Website Informer (https://website.informer.com).
AAN.AAAAAAAA.AAA
Flag 13 of 30
Use the ping command-line utility to test the reachability of the website www.eccouncil.org. Identify the maximum packet/frame size on this machine’s network.
NNNN
Flag 14 of 30
In the Windows 10 machine, use HTTrack Web Site Copier tool located at D:\CEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Website Mirroring Tools\HTTrack Web Site Copier to mirror the entire website of the target organization (http://www.certifiedhacker.com). Enter the newly created HTML file name, which allows you to view the webpage of the mirrored website on any browser.
aaaaa.aaaa
Flag 15 of 30
Perform a Whois lookup using DomainTools and find the registrar of the website www.certifiedhacker.com.
aaaa://aaaaaaaaaaaaaaaa.aaa
Flag 16 of 30
Perform a reverse DNS lookup using DNSRecon on IP range (162.241.216.0-162.241.216.255) to locate a DNS PTR record. Enter the DNS PTR record for IP address 162.241.216.11.
aaaNNNN.aaaaaaaa.aaa
Flag 17 of 30
Use the nslookup command-line utility to find the primary server of the website www.certifiedhacker.com.
aaN.aaaaaaaa.aaa
Flag 18 of 30
Perform network route tracing using Path Analyzer Pro. Flag submission is not required for this task, enter "No flag" as the answer.
Aa aaaa
- Flag 19 of 30
Use the ARIN Whois database search tool (https://www.arin.net/about/welcome/region) to locate the network range of the target organization (www.certifiedhacker.com). Enter the network range information about the target organization.
NNN.NNN.N.N - NNN.NNN.NNN.NNN
- Flag 20 of 30
Perform network tracerouting using traceroute command in Linux machine for www.certifiedhacker.com domain. Enter the IP address of the target domain.
NNN.NNN.NNN.NN
Flag 21 of 30
Use the BillCipher tool to footprint a target website URL (www.certifiedhacker.com). Identify the webserver application used to host the web pages.
Aaaaaa
Flag 22 of 30
Use the Recon-ng tool to gather personnel information. Enter the Recon-ng module name, which allows you to find user profiles on various websites.
aaaaa/aaaaaaaa-aaaaaaaa/aaaaaaaa
Flag 23 of 30
Use the Maltego tool to gather information about the target organization (www.certifiedhacker.com). Enter the information about the mail exchange server associated with the certifiedhacker.com domain.
aaaa.aaaaaaaaaaaaaaa.aaa
Flag 24 of 30
Use the OSRFramework tool to check for the existence of a Mark Zuckerberg profile on different social networking platforms. Enter YES if the given user profile exists; else, enter NO.
AAA
Flag 25 of 30
Use the FOCA tool to gather information about the target organization, www.certifiedhacker.com. Flag submission is not required for this task, enter "No flag" as the answer.
Aa aaaa
Flag 26 of 30
Use the OSINT Framework (https://osintframework.com) to explore footprinting categories and associated tools. Enter the complete website URL of the Domain Dossier tool, which generates reports from public records
aaaaa://aaaaaaaaaa.aaa/aa/AaaaaaAaaaaaa.aaaa
Flag 27 of 30
Use Tor Browser to perform searches on the deep and dark web. Identify the search engine Tor Browser uses to perform a dark web search.
AaaaAaaaAa
Flag 28 of 30
Use Censys (https://censys.io/domain?q=) to perform the passive footprinting of www.eccouncil.org. Identify the server running the HTTP and HTTPS services. (3 of 5)
AXARNET-AS
Flag 29 of 30
Gather personal information about Satya Nadella (CEO of Microsoft) using PeekYou (https://www.peekyou.com), an online people search service. Enter the name of the university where Satya Nadella studied MBA.
Ans:University of Chicago
Flag 30 of 30
Use theHarvester tool to gather the list of email IDs related to Microsoft (www.microsoft.com) organization from the Baidu search engine. Enter YES if you find any email ID; else, enter NO.
Ans:YES
- Module 3: Network Scanning
flow
-concept
-tools
-host discovery
-port and service discover
-os discovery
-scanning beyond IDS Firewall
-draw network diagrams
- Module 9: Social Engineering
SE is
- a Establishment of trust and the exploitation of trust
- an art of convincing people to reveal confidential information
What makes system vulnerable to SE?
- Lack of security policies
Phases of SE
- Recon
- target selection
- Developing relation
- Exploiting relation
Types of SE
- Human based
- Impersonation
- vishing (VoIP Phishing)
- computer based
- phishing [oh fish - Ec council's phishing assessment]
- Spear phishing - specific individual
- whaling - high profile executive
- pharming - web transfic, dns poisoning
- spimming - Instant Messeging platforms
- mobile based - SMiShing (SMS Phishing)
Insider Threats/Attacks
Types of InsThreat
- Malicious Insider
- Negligent
- Professional
- Compromised
SE through Impersonation on social networking sites
Identity theft
Types of Identity Theft
- Child Id Th
- Criminal
- Financial
- Driver's Licenses
- Insurance
- Medical
- Tax
- Identity cloning and concealment
- Synthetic
- Social Security
SET - Social Engineering Tools
OhPhish
IDS alert system
| code | status |
|----------------|---------------------|
| True positive | attack - alert |
| false positive | noattack - alert |
| false negative | attack - noalert |
| True negative | no attack - noalert |
# IPS
- active IDS
- continuous monitoring system
- sits behind the firewall
- actively monitors network trafic
- automatically take decisions
# Firewall
Erik's Homegrown Definition:
`Firewall is a device that mediate access between two networks of dissimilar trust levels.`
[ Internet ] ---------> [ Firewall ] ----------> [ IPS ] ------ [ IDS ] ----------> [ Corporate Network ]