#+title: My CEHv11 Notes From Scratch * Module 1: Introduction to Ethical Hacking ** Module Flow: 1. Information Security Overview 2. Cyber kill chain Concepts 3. Hacking Concepts 4. Ethical Hacking Concepts 5. Information Security Concepts 6. Information Security Laws and Standards ** Elements of Information Security - Confidentiality /authorized to have access/ - Integrity /trustworthiness of data and resources/ /e.g. - Hashing algorithm/ - Availability /required by authorized user/ - Authenticity /quality of being genuine/ /e.g. - Digtal Signature/ - Non-Repudiation /A gurantee that sender of msg cant deny/ ** Motives, Goal and Objectives of Information Security |------------------------------------------| | ATTACK = MOTIVE + METHOD + VULNERABILITY | |------------------------------------------| ![img](/home/nvpie/pustak/notes_central/CEH/motives.png) ** Classification of Attacks *** Passive Attack e.g. - 1. Footprinting 2. Sniffing and Eavesdropping 3. Network Traffic Analysis 4. Decryption of weakly encrypted traffic *** Active Attack ![img](~/pustak/notes_central/CEH/active_attacks.png) *** Close-in-Attack e.g. - Social Engineering (Eavesdropping, shoulder surfing, dumpster diving, etc) *** Insider Attack e.g. - 1. Eavesdropping and wiretapping 2. Theft of physical devices 3. Social Engineering 4. Data theft and spoilation 5. Pod slurping 6. Planting Keyloggers, backdoors and malwares. *** Distribution Attack e.g. - Modification of software or hardware during production or distribution ** Information Warfare |------------------------+--------------------| | Defensive Warfare | Offensive Warfare | |------------------------+--------------------| | Prevention | Web app attacks | | Deterrence | Web server attacks | | Alerts | Malware attacks | | Detection | MiTM Attacks | | Emergency Preparedness | System Hacking | | Response | | |------------------------+--------------------| *** Command and control warfare (c2 warfare) *** Intelligence based warefare *** Electronic Warfare *** Psychological warfare *** Hacker Warfare *** Economic Warfare *** Cyberwarfare *** Defensive Information Warfare *** Offensive Information Warfare ** Cyber Kill Chain Concepts - Its a Intelligence-driven defense methodology to identify and prevent intrusion activities. A hacker may carry attack through following typical process =Recon --> Weaponization --> Delivery --> Exploitation --> Installation --> Command and control --> Actions on objectives= ** Tactics, Techniques and Procedures (TTPs) ** Adversay Behavioural Identification *** Internal Recon *** Use of Powershell *** Unspecified Proxy Attacks *** Use of CLI *** Http user agent *** C2C Server *** Use of dns tunneling *** Use of web shell *** Data staging ** Indicators of Compromise (IoCs) *** Categories of IoCs - Email - Network - Host-based - Behavioural *** Key Indicators of IoCs - Unusual outbound network traffic - Unusual activity through a priviledge user account - Geographical anomalies - Multiple login failures - Increased database read volume - Large HTML response size - Multiple request for the same file - Mismatched port application traffic - Suspicious registry or system file changes - Unusual DNS request - Signs of Distributed Deniel-of-Services activity - Bundles of Data in the wrong places - Web traffic with superhuman behaviour ** Hacking Concepts *** What is hacking? In the field of computer Security: =Exploiting system vulnerabilities and compromise security controls to gain unauthorized access to target system and its resources.= *** Who is hacker? 1. An =intelligent individual= with =excellent computer skills= who can create and explore computer software and hardware. 2. For some =hacking is hobby= to see how many systems they can compromise. 3. Some hackers intention can either be to =gain knowledge= or to probe and =do illegal things=. ** Hacker Classes |-----------------+-----------------------------| | Types | Description | |-----------------+-----------------------------| | Black hats | bad guy | | white hats | good guy | | gray hats | moody | | sucide hackers | reckless | | Script Kiddies | uneducated copy cat | | cyber terrorist | ISIS | | State sponsered | Powered by Government | | Hacktivist | Mr. Robot / Annonymous Team | |-----------------+-----------------------------| ** Hacking Phases *** Reconnaissance - Active - Passive *** Scanning - Pre-attack phase - Port scanner - Extract Information *** Gaining Access - obtaining access to os or application - escalate priviliges *** Maintaining Access - Retaining ownership - patching and installing their own backdoors - manipulate data - use as platform to hack other networks or system *** Clearing Tracks - Hide malicious acts - deleting evidence while maintaing continuous access - overwriting logs to avoid suspicion ** What is Ethical Hacking? =noun= "hacker" = person who =enjoys learning and mastering= the details of computer systems and mastering the skills =verb= "hack" = rapid development of new programs or reverse engineering of existing software to make it better in new and innovative ways. =term= "cracker" and "attacker" = person who employ their hacking skills for offensive purposes. =term= "ethical hacker" = security professional who employ their hacking skills for defensive purposes. = * Module 2: Footprinting and Reconnaissance ** Lab 01: Using google dorks ~intitle:password site:eccouncil.org~ ~eccouncil filetype:pdf~ ** Lab 02: Task 1 : Using netcraft.com View all subdomains: ~Site >> Resources >> Site Report >> url >> network field >> domain~ ** Lab 03: Task 1 : using harverster gather employees information from linkedin ~theHarvester -d eccouncil -l 200 -b linkedin~ ** Lab 04: Task 1 : using ping (windows os) gathering information of website using ping #+begin_src shell ping goodshopping.com ping goodshopping.com -f -l 1500 ping goodshopping.com -f -l 1300 #+end_src ** Lab 04: Task 4 : using httrack (windows os) mirroring website Install httrack tool: ~D(CEH TOOLS):\CEH TOOLS\Module2 - Footprinting and reconnainsance\website mirroring tools\httrack website copier\httrack-3.49.2.exe~ open httrack gui >> next (new project) >> project name >> next >> Add url (goodshopping.com)>> set options >> Scan Rules >> checkboxes (gifs, compression files, media files) >> next >> disconnect when finished >> finish >> browse mirror website >> finish >> exit ** Lab 05: using emailTrackerPro Traceing email headers Install tool: ~D(CEH TOOLS):\CEH TOOLS\Module2 - Footprinting and reconnainsance\emailtracking tools\eMailTrackerPro\emt.exe~ open emailTrackerPro >> my trace reports >> Trace Headers >> paste headers ** Lab 06: Whoislook using domaintools goto whois.domaintools.com >> www.certifiedhacker.com >> lookup ** Lab 07: Taks 1: using nslook up (windows os) gathering dns information using nslookup cli and online tool open command prompt >> ~nslookup~ default settings were: #+begin_src shell Default Server: dns.google Address: 0.0.0.0 #+end_src ~set type=a >> certifiedhacker.com~ ~set type=cname >> certifiedhacker.com~ ~set type=a >> ns1.bluehost.com~ online method: goto: www.kloth.net/services/nslookup.php Domain >> certifiedhaker.com queryfield >> default lookitup queryfield >> AAAA (ipv6 address) lookitup ** Lab 08: Task 1: Performing network trace routing in windows and linux machine Windows OS: Open command prompt >> tracert www.certifiedhacker.com ~tracert -h 5 www.certifiedhaker.com~ Linux OS: Open Terminal >> ~tracerout~ >> www.certifiedhacker.com ** Lab 09: Task 1: using recon-ng Gathering host information Terminal >> #+begin_src shell recon-ng help marketplace install all modules search workspaces workspaces create CEH workspaces select CEH workspaces list db insert domains certifiedhacker.com show domains modules load brute modules load recon/domains-hosts/brute_hosts run modules load recon/hosts-hosts/reverse_resolve run show hosts back modules load reporting/ modules load reporting/html options set FILENAME /root/Desktop/results.html options set CREATOR Jason options set CUSTOMER certifiedHacker Networks run #+end_src Gathering personal information #+begin_src shell recon-ng >> workspaces create reconnainsance modules load recon/domains-contacts/whois_pocs info command options set SOURCE facebook.com run back modules load recon/profiles-profiles/namechk options set SOURCE MarkZuckerberg run back modules load profiles-profiles/profiler options set SOURCE MarkZuckerberg run back modules load reporting/html options set FILENAME /root/Desktop/Reconnaissance.html options set CREATOR Jason options set CUSTOMER Mark Zuckerberg run #+end_src *** Flags 1. Perform host discovery using Nmap and find the IP address of the machine hosting www.goodshopping.com cmd: nmap -sN -PR 10.10.1.19 Ans: 10.10.1.19 2. In Windows 10 machine, use the Angry IP Scanner tool located at D:\CEH-Tools\CEHv11 Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner to discover the active hosts in the target network. Find the hostname of the machine whose IP address is 10.10.1.14 Ans:Android.local 3. Perform an ICMP ECHO ping sweep to discover live hosts on your network subnet. Find the number of live hosts in the subnet cmd: nmap -sN -PE 10.10.1.0/24 Ans: 6 4. Browse anonymously using Proxy Switcher. Flag submission is not required for this task, enter "No flag" as the answer cmd: Ans: No flag 5. In Windows Server 2019, use the Colasoft Packet Builder tool located at Z:\CEHv11 Module 03 Scanning Networks\Packet Crafting Tools\Colasoft Packet Builder to create custom packets to scan the target host (Windows 10). Observer the “Decode Editor” section and find out the packet length value. Note: Turn on the Windows Defender Firewall to perform this task Ans: 64 6. Browse anonymously using CyberGhost VPN. Flag submission is not required for this task, enter "No flag" as the answer *** Flags Answers Flag 1 of 30 Search for www.eccouncil.org on Netcraft (https://www.netcraft.com) and identify the operating system of the web server hosting the website www.eccouncil.org. Ans:Linux Flag 2 of 30 Use an advanced Google hacking technique to find PDF files on the website www.eccouncil.org. Enter the complete URL of the CEHv11-Brochure.pdf file. Ans:https://www.eccouncil.org/wp-content/uploads/2020/09/CEHv11-Brochure.pdf Flag 3 of 30 Use the Shodan IoT search engine to search for information about vulnerable IoT devices in a target organization, Amazon. Enter YES if you find details of vulnerable IoT devices related to amazon; else, enter NO. Ans:YES Flag 4 of 30 Search for EC-COUNCIL on YouTube (https://www.youtube.com) and perform a reverse image search on any of the YouTube video using Youtube Metadata (https://mattw.io/youtube-metadata/) video analysis tool. Enter the Video ID. Flag 5 of 30 Use the NAPALM FTP Indexer (https://www.searchftps.net/) to extract critical FTP information about a target organization, Microsoft. Enter YES if you find files located on the target's FTP servers; else, enter NO. AAA Flag 6 of 30 Use the Sherlock tool to gather all the URLs related to Satya Nadella from various social networking sites. Enter the complete URL related to Satya Nadella that is obtained from the social networking site Academia.edu. aaaaa://aaaaaaaaaaa.aaaaaaaa.aaa/aaaaa Flag 7 of 30 Use theHarvester tool to gather information about the employees (name and job title) of a target organization (eccouncil.org) available on LinkedIn. Enter the option to specify the data source as LinkedIn. -a Flag 8 of 30 Use the Followerwonk online tool (https://followerwonk.com/analyze) to gather Twitter information about Satya Nadella. What is the name of rating Followerwonk uses to rate a user's influence and engagement on Twitter? Aaaaaa Aaaaaaaaa Flag 9 of 30 Use CeWL ruby application to gather a wordlist from the target website (http://www.certifiedhacker.com). Enter the command which allows you to gather a unique wordlist from the target website with a minimum word length of 6 and the depth of 3 to spider the target website. aaaa -a N -a N aaa.aaaaaaaaaaaaaaa.aaa Flag 10 of 30 In the Windows 10 machine, use Web Data Extractor web spidering tool located at D:\CEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Web Spiders\Web Data Extractor to gather the target company’s (http://www.certifiedhacker.com) data. Enter the contact email ID of the support department. aaaaaaa*aaaaaaaaaa.aaa Flag 11 of 30 In Windows 10 machine, use eMailTrackerPro tool located at D:\CEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Email Tracking Tools to gather information about an email by analyzing the email header. Observe the output and enter YES if the tool contains the “Abuse Reporting” feature; else, enter NO. AAA Flag 12 of 30 Identify the name server for the domain www.certifiedhacker.com by using Website Informer (https://website.informer.com). AAN.AAAAAAAA.AAA Flag 13 of 30 Use the ping command-line utility to test the reachability of the website www.eccouncil.org. Identify the maximum packet/frame size on this machine’s network. NNNN Flag 14 of 30 In the Windows 10 machine, use HTTrack Web Site Copier tool located at D:\CEH-Tools\CEHv11 Module 02 Footprinting and Reconnaissance\Website Mirroring Tools\HTTrack Web Site Copier to mirror the entire website of the target organization (http://www.certifiedhacker.com). Enter the newly created HTML file name, which allows you to view the webpage of the mirrored website on any browser. aaaaa.aaaa Flag 15 of 30 Perform a Whois lookup using DomainTools and find the registrar of the website www.certifiedhacker.com. aaaa://aaaaaaaaaaaaaaaa.aaa Flag 16 of 30 Perform a reverse DNS lookup using DNSRecon on IP range (162.241.216.0-162.241.216.255) to locate a DNS PTR record. Enter the DNS PTR record for IP address 162.241.216.11. aaaNNNN.aaaaaaaa.aaa Flag 17 of 30 Use the nslookup command-line utility to find the primary server of the website www.certifiedhacker.com. aaN.aaaaaaaa.aaa Flag 18 of 30 Perform network route tracing using Path Analyzer Pro. Flag submission is not required for this task, enter "No flag" as the answer. Aa aaaa - Flag 19 of 30 Use the ARIN Whois database search tool (https://www.arin.net/about/welcome/region) to locate the network range of the target organization (www.certifiedhacker.com). Enter the network range information about the target organization. NNN.NNN.N.N - NNN.NNN.NNN.NNN - Flag 20 of 30 Perform network tracerouting using traceroute command in Linux machine for www.certifiedhacker.com domain. Enter the IP address of the target domain. NNN.NNN.NNN.NN Flag 21 of 30 Use the BillCipher tool to footprint a target website URL (www.certifiedhacker.com). Identify the webserver application used to host the web pages. Aaaaaa Flag 22 of 30 Use the Recon-ng tool to gather personnel information. Enter the Recon-ng module name, which allows you to find user profiles on various websites. aaaaa/aaaaaaaa-aaaaaaaa/aaaaaaaa Flag 23 of 30 Use the Maltego tool to gather information about the target organization (www.certifiedhacker.com). Enter the information about the mail exchange server associated with the certifiedhacker.com domain. aaaa.aaaaaaaaaaaaaaa.aaa Flag 24 of 30 Use the OSRFramework tool to check for the existence of a Mark Zuckerberg profile on different social networking platforms. Enter YES if the given user profile exists; else, enter NO. AAA Flag 25 of 30 Use the FOCA tool to gather information about the target organization, www.certifiedhacker.com. Flag submission is not required for this task, enter "No flag" as the answer. Aa aaaa Flag 26 of 30 Use the OSINT Framework (https://osintframework.com) to explore footprinting categories and associated tools. Enter the complete website URL of the Domain Dossier tool, which generates reports from public records aaaaa://aaaaaaaaaa.aaa/aa/AaaaaaAaaaaaa.aaaa Flag 27 of 30 Use Tor Browser to perform searches on the deep and dark web. Identify the search engine Tor Browser uses to perform a dark web search. AaaaAaaaAa Flag 28 of 30 Use Censys (https://censys.io/domain?q=) to perform the passive footprinting of www.eccouncil.org. Identify the server running the HTTP and HTTPS services. (3 of 5) AXARNET-AS Flag 29 of 30 Gather personal information about Satya Nadella (CEO of Microsoft) using PeekYou (https://www.peekyou.com), an online people search service. Enter the name of the university where Satya Nadella studied MBA. Ans:University of Chicago Flag 30 of 30 Use theHarvester tool to gather the list of email IDs related to Microsoft (www.microsoft.com) organization from the Baidu search engine. Enter YES if you find any email ID; else, enter NO. Ans:YES * Module 3: Network Scanning flow -concept -tools -host discovery -port and service discover -os discovery -scanning beyond IDS Firewall -draw network diagrams * Module 9: Social Engineering SE is - a Establishment of trust and the exploitation of trust - an art of convincing people to reveal confidential information What makes system vulnerable to SE? - Lack of security policies Phases of SE - Recon - target selection - Developing relation - Exploiting relation Types of SE - Human based - Impersonation - vishing (VoIP Phishing) - computer based - phishing [oh fish - Ec council's phishing assessment] - Spear phishing - specific individual - whaling - high profile executive - pharming - web transfic, dns poisoning - spimming - Instant Messeging platforms - mobile based - SMiShing (SMS Phishing) Insider Threats/Attacks Types of InsThreat - Malicious Insider - Negligent - Professional - Compromised SE through Impersonation on social networking sites Identity theft Types of Identity Theft - Child Id Th - Criminal - Financial - Driver's Licenses - Insurance - Medical - Tax - Identity cloning and concealment - Synthetic - Social Security SET - Social Engineering Tools OhPhish * Module 10 IDS alert system | code | status | |----------------|---------------------| | True positive | attack - alert | | false positive | noattack - alert | | false negative | attack - noalert | | True negative | no attack - noalert | # IPS - active IDS - continuous monitoring system - sits behind the firewall - actively monitors network trafic - automatically take decisions # Firewall Erik's Homegrown Definition: `Firewall is a device that mediate access between two networks of dissimilar trust levels.` [ Internet ] ---------> [ Firewall ] ----------> [ IPS ] ------ [ IDS ] ----------> [ Corporate Network ]